From 4f431dfb02b8d85da546df821d8d711d4e82a683 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Thu, 3 Sep 2020 15:37:59 -0600
Subject: [PATCH 1/4] Add RHCOS STIG content and enable for NIST

---
 rhcos4/CMakeLists.txt                         |   7 +
 rhcos4/overlays/srg_support.xml               | 173 ++++++++++
 rhcos4/profiles/ospp.profile                  | 311 ++++++++++++++++++
 rhcos4/profiles/stig.profile                  |  23 ++
 rhcos4/transforms/cci2html.xsl                |   6 +
 rhcos4/transforms/constants.xslt              |   2 +-
 rhcos4/transforms/table-add-srgitems.xslt     |   7 +
 rhcos4/transforms/table-sortbyref.xslt        |   6 +
 rhcos4/transforms/table-srgmap.xslt           |  11 +
 rhcos4/transforms/table-style.xslt            |   5 +
 .../transforms/xccdf-apply-overlay-stig.xslt  |   8 +
 rhcos4/transforms/xccdf2stigformat.xslt       |   7 +
 rhcos4/transforms/xccdf2table-byref.xslt      |   9 +
 rhcos4/transforms/xccdf2table-cce.xslt        |   9 +
 .../xccdf2table-profileanssirefs.xslt         |   8 +
 .../xccdf2table-profileccirefs.xslt           |   9 +
 .../xccdf2table-profilecisrefs.xslt           |   9 +
 .../xccdf2table-profilenistrefs-cui.xslt      |   8 +
 .../xccdf2table-profilenistrefs.xslt          |   8 +
 rhcos4/transforms/xccdf2table-stig.xslt       |   9 +
 20 files changed, 634 insertions(+), 1 deletion(-)
 create mode 100644 rhcos4/overlays/srg_support.xml
 create mode 100644 rhcos4/profiles/ospp.profile
 create mode 100644 rhcos4/profiles/stig.profile
 create mode 100644 rhcos4/transforms/cci2html.xsl
 create mode 100644 rhcos4/transforms/table-add-srgitems.xslt
 create mode 100644 rhcos4/transforms/table-sortbyref.xslt
 create mode 100644 rhcos4/transforms/table-srgmap.xslt
 create mode 100644 rhcos4/transforms/table-style.xslt
 create mode 100644 rhcos4/transforms/xccdf-apply-overlay-stig.xslt
 create mode 100644 rhcos4/transforms/xccdf2stigformat.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-byref.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-cce.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-profileanssirefs.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-profileccirefs.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-profilecisrefs.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-profilenistrefs-cui.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-profilenistrefs.xslt
 create mode 100644 rhcos4/transforms/xccdf2table-stig.xslt

diff --git a/rhcos4/CMakeLists.txt b/rhcos4/CMakeLists.txt
index 01e628ca174..3ab1b56e4dd 100644
--- a/rhcos4/CMakeLists.txt
+++ b/rhcos4/CMakeLists.txt
@@ -8,3 +8,10 @@ set(DISA_SRG_TYPE "os")
 set(PRODUCT_REMEDIATION_LANGUAGES "ignition;kubernetes")
 
 ssg_build_product(${PRODUCT})
+
+ssg_build_html_table_by_ref(${PRODUCT} "nist")
+ssg_build_html_nistrefs_table(${PRODUCT} "standard")
+ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
+ssg_build_html_nistrefs_table(${PRODUCT} "stig")
+ssg_build_html_cce_table(${PRODUCT})
+ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/rhcos4/overlays/srg_support.xml b/rhcos4/overlays/srg_support.xml
new file mode 100644
index 00000000000..7c89f52017e
--- /dev/null
+++ b/rhcos4/overlays/srg_support.xml
@@ -0,0 +1,173 @@
+<Group id="srg_support" hidden="true">
+<title>Documentation to Support DISA OS SRG Mapping</title>
+<description>These groups exist to document how the Red Hat Enterprise Linux
+product meets (or does not meet) requirements listed in the DISA OS SRG, for
+those cases where Groups or Rules elsewhere in scap-security-guide do
+not clearly relate.
+</description>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_generic">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="15,42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1404,1405,1427,1499,1632,1693,1665,1674" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here relate to auditing, and are:
+     - satisfied (through design and implementation)
+     - selected in DoD baseline (per CNSS 1253) -->
+<Rule id="met_inherently_auditing">
+<title>Product Meets this Requirement</title>
+<rationale>
+The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+</rationale>
+<ocil>The RHEL8 auditing system supports this requirement and cannot be configured to be out of
+compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
+success or failure of the operation, the subject involved (executable/process),
+the object involved (file/path), and security labels for the subject and object.
+It also includes the ability to label events with custom key labels.  The auditing system
+centralizes the recording of audit events for the entire system and includes
+reduction (<tt>ausearch</tt>), reporting (<tt>aureport</tt>), and real-time
+response (<tt>audispd</tt>) facilities.
+This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="130,157,131,132,133,134,135,159,174" />
+</Rule>
+
+
+<!-- The CCI/SRG item referenced here are:
+     - satisfied (through design and implementation)
+     - not selected in a DoD baseline -->
+<Rule id="met_inherently_nonselected">
+<title>Product Meets this Requirement</title>
+<rationale>
+Red Hat Enterprise Linux meets this requirement through design and implementation.
+</rationale>
+<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+compliance. This is a permanent not a finding.
+</ocil>
+<description>
+This requirement is a permanent not a finding. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670" />
+</Rule>
+
+
+<!-- The CCI/SRG item listed here are:
+     - satisfied (by Rules in the guidance, which include the reference)
+     - not selected in DoD baseline -->
+<!-- disa="26,32,771,772,831,884,888,1095,1115,1117,1250,1348,1353,1464,1496" -->
+
+
+<!-- The CCI/SRG item referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered out of scope -->
+<Rule id="unmet_nonfinding_nonselected_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+          it should not have CCE association -->
+<ref disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662" />
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - not selected in a DoD baseline
+     - considered permanent findings -->
+<Rule id="unmet_finding_nonselected">
+<title>Implementation of the Requirement is Not Supported</title>
+<rationale>
+RHEL8 does not support this requirement.
+</rationale>
+<ocil>
+This is a permanent finding.
+</ocil>
+<description>
+This requirement is a permanent finding and cannot be fixed. An appropriate
+mitigation for the system must be implemented but this finding cannot be
+considered fixed.
+</description>
+<ref disa="20,31,52,144,1158,1294,1295,1500" />
+<!-- Note: CCI 52 supported for text login, but not graphical -->
+</Rule>
+
+
+<!-- The CCI/SRG items referenced here are:
+     - not satisfied
+     - selected in a DoD baseline
+     - considered NA -->
+<Rule id="unmet_nonfinding_scope">
+<title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
+<rationale>
+The guidance does not meet this requirement.
+The requirement is impractical or out of scope.
+</rationale>
+<ocil>
+RHEL8 cannot support this requirement without assistance from an external
+application, policy, or service. This requirement is NA.
+</ocil>
+<description>
+This requirement is NA. No fix is required.
+</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+     it should not have CCE association -->
+<ref disa="27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150" />
+</Rule>
+
+<Rule id="update_process">
+<title>A process for prompt installation of OS updates must exist.</title>
+<rationale>
+This is a manual inquiry about update procedure.
+</rationale>
+<ocil>
+Ask an administrator if a process exists to promptly and automatically apply OS
+software updates.  If such a process does not exist, this is a finding.
+<br /><br />
+If the OS update process limits automatic updates of software packages, where
+such updates would impede normal system operation, to scheduled maintenance
+windows, but still within IAVM-dictated timeframes, this is not a finding.
+</ocil>
+<description>
+Procedures to promptly apply software updates must be established and
+executed. The Red Hat operating system provides support for automating such a
+process, by running the yum program through a cron job or by managing the
+system and its packages through the Red Hat Network or a Satellite Server.
+</description>
+<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
+</Rule>
+
+</Group>
diff --git a/rhcos4/profiles/ospp.profile b/rhcos4/profiles/ospp.profile
new file mode 100644
index 00000000000..5db9a88168d
--- /dev/null
+++ b/rhcos4/profiles/ospp.profile
@@ -0,0 +1,311 @@
+documentation_complete: true
+
+title: 'Protection Profile for General Purpose Operating Systems'
+
+description: |-
+    This profile reflects mandatory configuration controls identified in the
+    NIAP Configuration Annex to the Protection Profile for General Purpose
+    Operating Systems (Protection Profile Version 4.2.1).
+
+    This configuration profile is consistent with CNSSI-1253, which requires
+    U.S. National Security Systems to adhere to certain configuration
+    parameters. Accordingly, this configuration profile is suitable for
+    use in U.S. National Security Systems.
+
+selections:
+
+    #######################################################
+    ### GENERAL REQUIREMENTS
+    ### Things needed to meet OSPP functional requirements.
+    #######################################################
+
+    ### Partitioning
+    - mount_option_home_nodev
+    - mount_option_home_nosuid
+    - mount_option_tmp_nodev
+    - mount_option_tmp_noexec
+    - mount_option_tmp_nosuid
+    - mount_option_var_tmp_nodev
+    - mount_option_var_tmp_noexec
+    - mount_option_var_tmp_nosuid
+    - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_noexec
+    - mount_option_dev_shm_nosuid
+    - mount_option_nodev_nonroot_local_partitions
+    - mount_option_boot_nodev
+    - mount_option_boot_nosuid
+    - partition_for_home
+    - partition_for_var
+    - mount_option_var_nodev
+    - partition_for_var_log
+    - mount_option_var_log_nodev
+    - mount_option_var_log_nosuid
+    - mount_option_var_log_noexec
+    - partition_for_var_log_audit
+    - mount_option_var_log_audit_nodev
+    - mount_option_var_log_audit_nosuid
+    - mount_option_var_log_audit_noexec
+
+    ### Services
+    # sshd
+    - sshd_disable_root_login
+    - sshd_enable_strictmodes
+    - disable_host_auth
+    - sshd_disable_empty_passwords
+    - sshd_disable_kerb_auth
+    - sshd_disable_gssapi_auth
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive
+    - sshd_enable_warning_banner
+    - sshd_rekey_limit
+    - var_rekey_limit_size=1G
+    - var_rekey_limit_time=1hour
+
+    # Time Server
+    - chronyd_client_only
+    - chronyd_no_chronyc_network
+
+    ### Network Settings
+    - sysctl_net_ipv6_conf_all_accept_ra
+    - sysctl_net_ipv6_conf_default_accept_ra
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv6_conf_all_accept_redirects
+    - sysctl_net_ipv6_conf_default_accept_redirects
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv6_conf_all_accept_source_route
+    - sysctl_net_ipv6_conf_default_accept_source_route
+    - sysctl_net_ipv4_conf_all_secure_redirects
+    - sysctl_net_ipv4_conf_default_secure_redirects
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_log_martians
+    - sysctl_net_ipv4_conf_default_log_martians
+    - sysctl_net_ipv4_conf_all_rp_filter
+    - sysctl_net_ipv4_conf_default_rp_filter
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+    - sysctl_net_ipv4_tcp_syncookies
+
+    ### systemd
+    - disable_ctrlaltdel_reboot
+    - disable_ctrlaltdel_burstaction
+    - service_debug-shell_disabled
+
+    ### umask
+    - var_accounts_user_umask=027
+    - accounts_umask_etc_profile
+    - accounts_umask_etc_bashrc
+    - accounts_umask_etc_csh_cshrc
+
+    ### Software update
+    - ensure_redhat_gpgkey_installed
+
+    ### Kernel Config
+    ## Boot prompt
+    - grub2_audit_argument
+    - grub2_audit_backlog_limit_argument
+    - grub2_slub_debug_argument
+    - grub2_page_poison_argument
+    - grub2_vsyscall_argument
+    - grub2_vsyscall_argument.role=unscored
+    - grub2_vsyscall_argument.severity=info
+    - grub2_pti_argument
+
+    ## Security Settings
+    - sysctl_kernel_kptr_restrict
+    - sysctl_kernel_dmesg_restrict
+    - sysctl_kernel_kexec_load_disabled
+    - sysctl_kernel_yama_ptrace_scope
+    - sysctl_kernel_perf_event_paranoid
+    - sysctl_user_max_user_namespaces
+    - sysctl_user_max_user_namespaces.role=unscored
+    - sysctl_user_max_user_namespaces.severity=info
+    - sysctl_kernel_unprivileged_bpf_disabled
+    - sysctl_net_core_bpf_jit_harden
+
+    ## File System Settings
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_protected_symlinks
+
+    ### Audit
+    - service_auditd_enabled
+    - var_auditd_flush=incremental_async
+    - auditd_data_retention_flush
+    - auditd_local_events
+    - auditd_write_logs
+    - auditd_log_format
+    - auditd_freq
+    - auditd_name_format
+
+    ### Module Blacklist
+    - kernel_module_cramfs_disabled
+    - kernel_module_bluetooth_disabled
+    - kernel_module_sctp_disabled
+    - kernel_module_firewire-core_disabled
+    - kernel_module_atm_disabled
+    - kernel_module_can_disabled
+    - kernel_module_tipc_disabled
+
+    ### rpcbind
+
+    ### Install Required Packages
+    - package_usbguard_installed
+    - package_audit_installed
+
+    ### Remove Prohibited Packages
+    - package_sendmail_removed
+
+    ### Login
+    - disable_users_coredumps
+    - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
+    - var_accounts_max_concurrent_login_sessions=10
+    - accounts_max_concurrent_login_sessions
+
+    ### SELinux Configuration
+    - var_selinux_state=enforcing
+    - selinux_state
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+
+    ### Application Whitelisting (RHEL 8)
+    - package_fapolicyd_installed
+    - service_fapolicyd_enabled
+
+    ### Configure USBGuard
+    - service_usbguard_enabled
+    - configure_usbguard_auditbackend
+    - usbguard_allow_hid_and_hub
+
+    ### Enable / Configure FIPS
+    - enable_fips_mode
+    - var_system_crypto_policy=fips_ospp
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_libreswan_crypto_policy
+    - configure_kerberos_crypto_policy
+    - enable_dracut_fips_module
+
+    ## Enable Screen Lock
+    ## FMT_MOF_EXT.1
+    - package_tmux_installed
+    - configure_bashrc_exec_tmux
+    - no_tmux_in_shells
+    - configure_tmux_lock_command
+    - configure_tmux_lock_after_time
+
+    ## Set Screen Lock Timeout Period to 30 Minutes or Less
+    ## AC-11(a) / FMT_MOF_EXT.1
+    ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
+    - sshd_idle_timeout_value=14_minutes
+    - sshd_set_idle_timeout
+
+    ## Disable Unauthenticated Login (such as Guest Accounts)
+    ## FIA_UAU.1
+    - require_singleuser_auth
+    - grub2_disable_interactive_boot
+    - grub2_uefi_password
+    - no_empty_passwords
+
+    ## Enable Host-Based Firewall
+    ## SC-7(12) / FMT_MOF_EXT.1
+    - service_iptables_enabled
+
+    ## Set Logon Warning Banner
+    ## AC-8(a) / FMT_MOF_EXT.1
+
+    ## Audit All Logons (Success/Failure) and Logoffs (Success)
+    ##  CNSSI 1253 Value or DoD-Specific Values:
+    ##      (1) Logons (Success/Failure)
+    ##      (2) Logoffs (Success)
+    ## AU-2(a) / FAU_GEN.1.1.c
+
+    ## Audit File and Object Events (Unsuccessful)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      (1) Create (Success/Failure)
+    ##      (2) Access (Success/Failure)
+    ##      (3) Delete (Sucess/Failure)
+    ##      (4) Modify (Success/Failure)
+    ##      (5) Permission Modification (Sucess/Failure)
+    ##      (6) Ownership Modification (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ##
+    ##
+    ## (1) Create (Success/Failure)
+    ##      (open with O_CREAT)
+    ## (2) Access (Success/Failure)
+    ## (3) Delete (Success/Failure)
+    ## (4) Modify (Success/Failure)
+    ## (5) Permission Modification (Success/Failure)
+    ## (6) Ownership Modification (Success/Failure)
+
+    ## Audit User and Group Management Events (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      (1) User add, delete, modify, disable, enable (Success/Failure)
+    ##      (2) Group/Role add, delete, modify (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ##
+    ## Generic User and Group Management Events (Success/Failure)
+    ## Selection of setuid programs that relate to
+    ## user accounts.
+    ##
+    ## CNSSI 1253: (1) User add, delete, modify, disable, enable (Success/Failure)
+    ##
+    ## CNSSI 1252: (2) Group/Role add, delete, modify (Success/Failure)
+    ##
+    ## Audit Privilege or Role Escalation Events (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Privilege/Role escalation (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit All Audit and Log Data Accesses (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Audit and log data access (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit Cryptographic Verification of Software (Success/Failure)
+    ##  CNSSI 1253 Value or DoD-specific Values:
+    ##      - Applications (e.g. Firefox, Internet Explorer, MS Office Suite,
+    ##        etc) initialization (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    ## Audit Kernel Module Loading and Unloading Events (Success/Failure)
+    ## AU-2(a) / FAU_GEN.1.1.c
+    - audit_basic_configuration
+    - audit_immutable_login_uids
+    - audit_create_failed
+    - audit_create_success
+    - audit_modify_failed
+    - audit_modify_success
+    - audit_access_failed
+    - audit_access_success
+    - audit_delete_failed
+    - audit_delete_success
+    - audit_perm_change_failed
+    - audit_perm_change_success
+    - audit_owner_change_failed
+    - audit_owner_change_success
+    - audit_ospp_general
+    - audit_module_load
+
+    # Prevent Kerberos use by system daemons
+    - kerberos_disable_no_keytab
+
+    # set ssh client rekey limit
+    - ssh_client_rekey_limit
+    - var_ssh_client_rekey_limit_size=1G
+    - var_ssh_client_rekey_limit_time=1hour
+
+    # zIPl specific rules
+    - zipl_bls_entries_only
+    - zipl_bootmap_is_up_to_date
+    - zipl_audit_argument
+    - zipl_audit_backlog_limit_argument
+    - zipl_slub_debug_argument
+    - zipl_page_poison_argument
+    - zipl_vsyscall_argument
+    - zipl_vsyscall_argument.role=unscored
+    - zipl_vsyscall_argument.severity=info
+    - zipl_pti_argument
diff --git a/rhcos4/profiles/stig.profile b/rhcos4/profiles/stig.profile
new file mode 100644
index 00000000000..0d5b4679083
--- /dev/null
+++ b/rhcos4/profiles/stig.profile
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS'
+
+description: |-
+    This profile contains configuration checks that align to the
+    [DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS which
+    is the operating system layer of Red Hat OpenShift Container
+    Platform.
+
+extends: ospp
+
+selections:
+    - login_banner_text=dod_banners
+    - banner_etc_issue
+    - audit_rules_usergroup_modification_passwd
+    - sssd_enable_smartcards
+    - sssd_offline_cred_expiration
+    - encrypt_partitions
+    - accounts_tmout
+    - sudo_remove_no_authenticate
+    - sudo_remove_nopasswd
+    - sudo_require_authentication
diff --git a/rhcos4/transforms/cci2html.xsl b/rhcos4/transforms/cci2html.xsl
new file mode 100644
index 00000000000..59d708ad679
--- /dev/null
+++ b/rhcos4/transforms/cci2html.xsl
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cci="https://public.cyber.mil/stigs/cci">
+
+<xsl:include href="../../shared/transforms/shared_cci2html.xsl"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/constants.xslt b/rhcos4/transforms/constants.xslt
index eee9e6735b6..d0555aae470 100644
--- a/rhcos4/transforms/constants.xslt
+++ b/rhcos4/transforms/constants.xslt
@@ -10,7 +10,7 @@
 
 <xsl:variable name="cisuri">empty</xsl:variable>
 <xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
-<xsl:variable name="os-stigid-concat" />
+<xsl:variable name="disa-srguri" select="$disa-ossrguri"/>
 
 <!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
 <!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
diff --git a/rhcos4/transforms/table-add-srgitems.xslt b/rhcos4/transforms/table-add-srgitems.xslt
new file mode 100644
index 00000000000..e741fb89615
--- /dev/null
+++ b/rhcos4/transforms/table-add-srgitems.xslt
@@ -0,0 +1,7 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:cci="https://public.cyber.mil/stigs/cci">
+
+<xsl:include href="../../shared/transforms/shared_table-add-srgitems.xslt"/>
+<xsl:variable name="srgtable" select="document('../output/table-rhel8-srgmap-flat.xhtml')/html/body/table" />
+<xsl:variable name="cci_list" select="document('../../shared/references/disa-cci-list.xml')/cci:cci_list" />
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/table-sortbyref.xslt b/rhcos4/transforms/table-sortbyref.xslt
new file mode 100644
index 00000000000..bd97ee1cab2
--- /dev/null
+++ b/rhcos4/transforms/table-sortbyref.xslt
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_table-sortbyref.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/table-srgmap.xslt b/rhcos4/transforms/table-srgmap.xslt
new file mode 100644
index 00000000000..23c2f60a2c2
--- /dev/null
+++ b/rhcos4/transforms/table-srgmap.xslt
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:include href="../../shared/transforms/shared_table-srgmap.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
+<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/table-style.xslt b/rhcos4/transforms/table-style.xslt
new file mode 100644
index 00000000000..218d0f75421
--- /dev/null
+++ b/rhcos4/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf-apply-overlay-stig.xslt b/rhcos4/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000000..38b354afb89
--- /dev/null
+++ b/rhcos4/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2stigformat.xslt b/rhcos4/transforms/xccdf2stigformat.xslt
new file mode 100644
index 00000000000..5421604fa3c
--- /dev/null
+++ b/rhcos4/transforms/xccdf2stigformat.xslt
@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" exclude-result-prefixes="cdf">
+
+<xsl:include href="../../shared/transforms/shared_xccdf2stigformat.xslt"/>
+<xsl:include href="constants.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-byref.xslt b/rhcos4/transforms/xccdf2table-byref.xslt
new file mode 100644
index 00000000000..88a53f50abd
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-byref.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-byref.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-cce.xslt b/rhcos4/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000000..1ffb22215c2
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-profileanssirefs.xslt b/rhcos4/transforms/xccdf2table-profileanssirefs.xslt
new file mode 100644
index 00000000000..b790974c802
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-profileanssirefs.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profileanssirefs.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-profileccirefs.xslt b/rhcos4/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000000..5a104d956f1
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-profilecisrefs.xslt b/rhcos4/transforms/xccdf2table-profilecisrefs.xslt
new file mode 100644
index 00000000000..92cbdf9b455
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-profilecisrefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-profilenistrefs-cui.xslt b/rhcos4/transforms/xccdf2table-profilenistrefs-cui.xslt
new file mode 100644
index 00000000000..7596f8b49cd
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-profilenistrefs-cui.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs-cui.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-profilenistrefs.xslt b/rhcos4/transforms/xccdf2table-profilenistrefs.xslt
new file mode 100644
index 00000000000..8e97c33344a
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-profilenistrefs.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/rhcos4/transforms/xccdf2table-stig.xslt b/rhcos4/transforms/xccdf2table-stig.xslt
new file mode 100644
index 00000000000..2fb56fa7d0a
--- /dev/null
+++ b/rhcos4/transforms/xccdf2table-stig.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../shared/transforms/shared_xccdf2table-stig.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>

From 415191bf7834e19c9a1ef652171da8097dc0a4b8 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Mon, 14 Sep 2020 17:12:11 -0600
Subject: [PATCH 2/4] Add SRG overlay

---
 rhcos4/overlays/srg_support.xml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/rhcos4/overlays/srg_support.xml b/rhcos4/overlays/srg_support.xml
index 7c89f52017e..039e0bacfa2 100644
--- a/rhcos4/overlays/srg_support.xml
+++ b/rhcos4/overlays/srg_support.xml
@@ -1,7 +1,7 @@
 <Group id="srg_support" hidden="true">
 <title>Documentation to Support DISA OS SRG Mapping</title>
-<description>These groups exist to document how the Red Hat Enterprise Linux
-product meets (or does not meet) requirements listed in the DISA OS SRG, for
+<description>These groups exist to document how Red Hat Enterprise Linux CoreOS
+meets (or does not meet) requirements listed in the DISA OS SRG, for
 those cases where Groups or Rules elsewhere in scap-security-guide do
 not clearly relate.
 </description>
@@ -13,9 +13,9 @@ not clearly relate.
 <Rule id="met_inherently_generic">
 <title>Product Meets this Requirement</title>
 <rationale>
-Red Hat Enterprise Linux meets this requirement through design and implementation.
+Red Hat Enterprise Linux CoreOS meets this requirement through design and implementation.
 </rationale>
-<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+<ocil>Red Hat Enterprise Linux CoreOS supports this requirement and cannot be configured to be out of
 compliance. This is a permanent not a finding.
 </ocil>
 <description>
@@ -33,9 +33,9 @@ This requirement is a permanent not a finding. No fix is required.
 <Rule id="met_inherently_auditing">
 <title>Product Meets this Requirement</title>
 <rationale>
-The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
+The Red Hat Enterprise Linux CoreOS audit system meets this requirement through design and implementation.
 </rationale>
-<ocil>The RHEL8 auditing system supports this requirement and cannot be configured to be out of
+<ocil>The Red Hat Enterprise Linux CoreOS auditing system supports this requirement and cannot be configured to be out of
 compliance. Every audit record in RHEL includes a timestamp, the operation attempted,
 success or failure of the operation, the subject involved (executable/process),
 the object involved (file/path), and security labels for the subject and object.
@@ -60,9 +60,9 @@ This requirement is a permanent not a finding. No fix is required.
 <Rule id="met_inherently_nonselected">
 <title>Product Meets this Requirement</title>
 <rationale>
-Red Hat Enterprise Linux meets this requirement through design and implementation.
+Red Hat Enterprise Linux CoreOS meets this requirement through design and implementation.
 </rationale>
-<ocil>RHEL8 supports this requirement and cannot be configured to be out of
+<ocil>Red Hat Enterprise Linux CoreOS supports this requirement and cannot be configured to be out of
 compliance. This is a permanent not a finding.
 </ocil>
 <description>
@@ -91,7 +91,7 @@ The guidance does not meet this requirement.
 The requirement is impractical or out of scope.
 </rationale>
 <ocil>
-RHEL8 cannot support this requirement without assistance from an external
+Red Hat Enterprise Linux CoreOS cannot support this requirement without assistance from an external
 application, policy, or service. This requirement is NA.
 </ocil>
 <description>
@@ -110,7 +110,7 @@ This requirement is NA. No fix is required.
 <Rule id="unmet_finding_nonselected">
 <title>Implementation of the Requirement is Not Supported</title>
 <rationale>
-RHEL8 does not support this requirement.
+Red Hat Enterprise Linux CoreOS does not support this requirement.
 </rationale>
 <ocil>
 This is a permanent finding.
@@ -136,7 +136,7 @@ The guidance does not meet this requirement.
 The requirement is impractical or out of scope.
 </rationale>
 <ocil>
-RHEL8 cannot support this requirement without assistance from an external
+Red Hat Enterprise Linux CoreOS cannot support this requirement without assistance from an external
 application, policy, or service. This requirement is NA.
 </ocil>
 <description>

From 9d8cc465bc3e9bb735d453973a1c1de4d2b7a845 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Tue, 29 Sep 2020 13:09:27 -0600
Subject: [PATCH 3/4] Enable rules and fix zipl template for RHCOS

---
 linux_os/guide/services/mail/package_sendmail_removed/rule.yml  | 2 +-
 linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml    | 2 +-
 .../guide/services/sssd/sssd_offline_cred_expiration/rule.yml   | 2 +-
 .../console_screen_locking/configure_bashrc_exec_tmux/rule.yml  | 2 +-
 .../configure_tmux_lock_after_time/rule.yml                     | 2 +-
 .../console_screen_locking/configure_tmux_lock_command/rule.yml | 2 +-
 .../console_screen_locking/package_tmux_installed/rule.yml      | 2 +-
 .../system/accounts/accounts-session/accounts_tmout/rule.yml    | 2 +-
 .../system/auditing/policy_rules/audit_access_failed/rule.yml   | 2 +-
 .../system/auditing/policy_rules/audit_access_success/rule.yml  | 2 +-
 .../auditing/policy_rules/audit_basic_configuration/rule.yml    | 2 +-
 .../system/auditing/policy_rules/audit_create_failed/rule.yml   | 2 +-
 .../system/auditing/policy_rules/audit_create_success/rule.yml  | 2 +-
 .../system/auditing/policy_rules/audit_delete_failed/rule.yml   | 2 +-
 .../system/auditing/policy_rules/audit_delete_success/rule.yml  | 2 +-
 .../auditing/policy_rules/audit_immutable_login_uids/rule.yml   | 2 +-
 .../system/auditing/policy_rules/audit_modify_failed/rule.yml   | 2 +-
 .../system/auditing/policy_rules/audit_modify_success/rule.yml  | 2 +-
 .../system/auditing/policy_rules/audit_module_load/rule.yml     | 2 +-
 .../system/auditing/policy_rules/audit_ospp_general/rule.yml    | 2 +-
 .../auditing/policy_rules/audit_owner_change_failed/rule.yml    | 2 +-
 .../auditing/policy_rules/audit_owner_change_success/rule.yml   | 2 +-
 .../auditing/policy_rules/audit_perm_change_failed/rule.yml     | 2 +-
 .../auditing/policy_rules/audit_perm_change_success/rule.yml    | 2 +-
 .../system/auditing/policy_rules/audit_rules_for_ospp/rule.yml  | 2 +-
 .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml   | 2 +-
 .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml  | 2 +-
 .../guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 2 +-
 .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml  | 2 +-
 .../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml   | 2 +-
 .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml   | 2 +-
 .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml    | 2 +-
 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml      | 2 +-
 .../permissions/partitions/mount_option_boot_nodev/rule.yml     | 2 +-
 .../permissions/partitions/mount_option_boot_nosuid/rule.yml    | 2 +-
 .../permissions/partitions/mount_option_home_nosuid/rule.yml    | 2 +-
 .../mount_option_nodev_nonroot_local_partitions/rule.yml        | 2 +-
 .../permissions/partitions/mount_option_tmp_nodev/rule.yml      | 2 +-
 .../permissions/partitions/mount_option_tmp_noexec/rule.yml     | 2 +-
 .../permissions/partitions/mount_option_tmp_nosuid/rule.yml     | 2 +-
 .../partitions/mount_option_var_log_audit_nodev/rule.yml        | 2 +-
 .../partitions/mount_option_var_log_audit_noexec/rule.yml       | 2 +-
 .../partitions/mount_option_var_log_audit_nosuid/rule.yml       | 2 +-
 .../permissions/partitions/mount_option_var_log_nodev/rule.yml  | 2 +-
 .../permissions/partitions/mount_option_var_log_noexec/rule.yml | 2 +-
 .../permissions/partitions/mount_option_var_log_nosuid/rule.yml | 2 +-
 .../permissions/partitions/mount_option_var_nodev/rule.yml      | 2 +-
 .../permissions/partitions/mount_option_var_nosuid/rule.yml     | 2 +-
 .../software/disk_partitioning/encrypt_partitions/rule.yml      | 2 +-
 .../software/integrity/crypto/ssh_client_rekey_limit/rule.yml   | 2 +-
 rhcos4/profiles/ospp.profile                                    | 1 -
 51 files changed, 50 insertions(+), 51 deletions(-)

diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
index 05d7fcfb9b2..1b62fb49fb5 100644
--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
+++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Uninstall Sendmail Package'
 
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml
index fd63c8d46e9..7a51b3960f2 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,rhcos4
 
 title: 'Enable Smartcards in SSSD'
 
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
index 3f8dcc0cd89..b2c450b58e2 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,rhcos4
 
 title: 'Configure SSSD to Expire Offline Credentials'
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
index 2536369ac20..21edfc9f0b7 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhcos4
 
 title: 'Support session locking with tmux'
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml
index dd8d3cc665c..7816ebc8f91 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhcos4
 
 title: 'Configure tmux to lock session after inactivity'
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
index 9ec02f821a2..bf1ea79df99 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhcos4
 
 title: 'Configure the tmux Lock Command'
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index 33fbe1bb11d..c900612b1bc 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8,rhv4
+prodtype: fedora,ol8,rhel8,rhv4,rhcos4
 
 title: 'Install the tmux Package'
 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index efe2bb6e937..895290d04ab 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4
 
 title: 'Set Interactive Session Timeout'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
index 1139b5ad9ef..458ac7e0ae6 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of unsuccessful file accesses'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
index 12a0bda54e5..064618716e8 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of successful file accesses'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
index 4c878aecefd..cce5e83fd6e 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhcos4,rhcos4
 
 title: 'Configure basic parameters of Audit system'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
index 07728afb71f..92800b472c7 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of unsuccessful file creations'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
index d81cd3ae86b..59db7b10073 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of successful file creations'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
index 4d8fc27b98c..2f67a150dc5 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of unsuccessful file deletions'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
index b42c69dc73f..f54899fb842 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of successful file deletions'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
index 1f9c237834d..e9b85f815b8 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure immutable Audit login UIDs'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
index fa91128194c..51f9d76f06d 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhcos4,rhcos4
 
 title: 'Configure auditing of unsuccessful file modifications'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
index 6ba53e816b5..b51acc04dcb 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of successful file modifications'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
index b38afedcfbf..20bfca83eee 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhcos4,rhcos4
 
 title: 'Configure auditing of loading and unloading of kernel modules'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
index 2e38bd8218d..fbf7473cc4c 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8,rhcos4
+prodtype: ol8,rhel8,rhcos4,rhcos4
 
 title: 'Perform general configuration of Audit for OSPP'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
index d9ca290b392..b0052f8b645 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of unsuccessful ownership changes'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
index e61b6c73f13..3657a32fc3a 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of successful ownership changes'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
index 960bdf94a12..477c74282d0 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of unsuccessful permission changes'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
index bf8340f0abc..53ecf9d589a 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8
+prodtype: ol8,rhel8,rhcos4
 
 title: 'Configure auditing of successful permission changes'
 
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml
index 88281198ffe..26e7016c5b8 100644
--- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml
+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,ol8,rhel7,rhel8
+prodtype: ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Configure audit according to OSPP requirements'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 46705e77570..c2fb5ba678c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index c7bb7f26190..6548c352acc 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index ae00dfedd70..c3f032d8cbb 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Ensure all zIPL boot entries are BLS compliant'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index 90db3e98a29..13192cd8ca5 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Ensure zIPL bootmap is up to date'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index b0bc0fc374f..261b227dd58 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Ensure SELinux Not Disabled in zIPL'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 6bd785347a5..42c1c8aecd5 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Enable page allocator poisoning in zIPL'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 8cbc46eab98..2f9b04f7a27 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
 
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 82f109ccc5f..f90a0fb4141 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Disable vsyscalls in zIPL'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
index ac37b3f9529..52561195737 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nodev Option to /boot'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
index ab2711f4831..ebf09614ac4 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nosuid Option to /boot'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
index 4d514d06822..dadd3fa3e97 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4
 
 title: 'Add nosuid Option to /home'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
index 4ca394f2235..15b54df2174 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nodev Option to Non-Root Local Partitions'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index 9a3a4352237..bcd15e15965 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804
+prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804,rhcos4
 
 title: 'Add nodev Option to /tmp'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 42ccba3bce6..7c8bf290fe1 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,rhcos4
 
 title: 'Add noexec Option to /tmp'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index 87bbbc312cd..0f4a0288340 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804
+prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15,ubuntu1804,rhcos4
 
 title: 'Add nosuid Option to /tmp'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
index 93c7c67bd1b..c2765b6c619 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nodev Option to /var/log/audit'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
index 3d66e72c696..820c8385b3f 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add noexec Option to /var/log/audit'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
index 7754082d029..344bafd252a 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nosuid Option to /var/log/audit'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 702d6325fa4..4647f2e1c0d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nodev Option to /var/log'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
index 8bb1004d670..91fe9594ff0 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add noexec Option to /var/log'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
index 2e183ea39aa..7c11a923def 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nosuid Option to /var/log'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
index 030c0f9df4b..fe4aaae5028 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhcos4
 
 title: 'Add nodev Option to /var'
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
index 436da278d2c..14ee493fbee 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel7,rhel8
+prodtype: fedora,rhel7,rhel8,rhcos4
 
 title: 'Add nosuid Option to /var'
 
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index de2cbae9a82..80d1856778a 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,ol8,rhel7,rhel8,rhv4
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
 
 title: 'Encrypt Partitions'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index 1ff99481d22..e9112161016 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8
+prodtype: rhel8,rhcos4
 
 title: 'Configure session renegotiation for SSH client'
 
diff --git a/rhcos4/profiles/ospp.profile b/rhcos4/profiles/ospp.profile
index 5db9a88168d..4d44176bb74 100644
--- a/rhcos4/profiles/ospp.profile
+++ b/rhcos4/profiles/ospp.profile
@@ -308,4 +308,3 @@ selections:
     - zipl_vsyscall_argument
     - zipl_vsyscall_argument.role=unscored
     - zipl_vsyscall_argument.severity=info
-    - zipl_pti_argument

From ec1c3540365f19fefb60a2126d277d51f04487c0 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Tue, 29 Sep 2020 13:41:07 -0600
Subject: [PATCH 4/4] Remove standard profile for RHCOS

---
 rhcos4/CMakeLists.txt        |  1 -
 rhcos4/profiles/ospp.profile | 16 ++++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/rhcos4/CMakeLists.txt b/rhcos4/CMakeLists.txt
index 3ab1b56e4dd..f3cf94770f0 100644
--- a/rhcos4/CMakeLists.txt
+++ b/rhcos4/CMakeLists.txt
@@ -10,7 +10,6 @@ set(PRODUCT_REMEDIATION_LANGUAGES "ignition;kubernetes")
 ssg_build_product(${PRODUCT})
 
 ssg_build_html_table_by_ref(${PRODUCT} "nist")
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
 ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
 ssg_build_html_nistrefs_table(${PRODUCT} "stig")
 ssg_build_html_cce_table(${PRODUCT})
diff --git a/rhcos4/profiles/ospp.profile b/rhcos4/profiles/ospp.profile
index 4d44176bb74..9df62aabfae 100644
--- a/rhcos4/profiles/ospp.profile
+++ b/rhcos4/profiles/ospp.profile
@@ -104,14 +104,14 @@ selections:
 
     ### Kernel Config
     ## Boot prompt
-    - grub2_audit_argument
-    - grub2_audit_backlog_limit_argument
-    - grub2_slub_debug_argument
-    - grub2_page_poison_argument
-    - grub2_vsyscall_argument
-    - grub2_vsyscall_argument.role=unscored
-    - grub2_vsyscall_argument.severity=info
-    - grub2_pti_argument
+    - coreos_audit_option
+    - coreos_audit_backlog_limit_kernel_argument
+    - coreos_slub_debug_kernel_argument
+    - coreos_page_poison_kernel_argument
+    - coreos_vsyscall_kernel_argument
+    - coreos_vsyscall_kernel_argument.role=unscored
+    - coreos_vsyscall_kernel_argument.severity=info
+    - coreos_pti_kernel_argument
 
     ## Security Settings
     - sysctl_kernel_kptr_restrict