From e276fee51d01cd111de94b18f1df8cffde8dd25b Mon Sep 17 00:00:00 2001 From: Eran Markus Date: Sun, 7 Jun 2026 07:47:16 +0300 Subject: [PATCH 1/2] Add missing OCIL to PCI-DSS rules Three rules referenced by the PCI-DSS controls were missing OCIL (manual check) content, leaving them without questionnaire text in the generated benchmarks: - audit_rules_session_events - chronyd_or_ntpd_specify_multiple_servers - disable_prelink Add an ocil_clause and ocil block to each, mirroring the style of sibling rules (audit_rules_usergroup_modification, chronyd_or_ntpd_specify_remote_server). The OCIL describes how to manually verify each rule's expected state. Verified the OCIL renders by building the data streams: session_events and chronyd_or_ntpd_specify_multiple_servers in ssg-rhel8-ds.xml, and disable_prelink in ssg-sle15-ds.xml. Fixes: https://github.com/ComplianceAsCode/content/issues/4913 Co-Authored-By: Claude Opus 4.8 (1M context) --- .../audit_rules_session_events/rule.yml | 9 +++++++++ .../rule.yml | 14 ++++++++++++++ .../software/integrity/disable_prelink/rule.yml | 10 ++++++++++ 3 files changed, 33 insertions(+) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml index 1cb90f75c145..f1760e2042b1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml @@ -50,3 +50,12 @@ references: nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 pcidss: Req-10.2.3 srg: SRG-APP-000505-CTR-001285 + +ocil_clause: 'the system is not configured to audit attempts to alter process and session initiation information' + +ocil: |- + To determine if the system is configured to audit attempts to alter + process and session initiation information, run the following command: +
auditctl -l | grep -E '(/var/run/utmp|/var/log/btmp|/var/log/wtmp)'
+ If the system is configured to watch for these events, lines should be returned for + each file specified (and with -p wa for each). diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml index dec1be4ebf29..5a15ca699a05 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml @@ -104,3 +104,17 @@ references: nist: CM-6(a),AU-8(1)(a),AU-8(2),AU-12(1) nist-csf: PR.PT-1 pcidss: Req-10.4.3 + +ocil_clause: 'no additional NTP servers are specified' + +ocil: |- + To verify that additional NTP servers are configured for time synchronization, + open the following file: + + In the file, there should be multiple lines similar to the following: +
server ntpserver
diff --git a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml index c187957e630f..63374db4cb0c 100644 --- a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml +++ b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml @@ -37,3 +37,13 @@ references: nist: SC-13,CM-6(a) nist-csf: PR.DS-1,PR.DS-6,PR.DS-8,PR.IP-1 pcidss: Req-11.5 + +ocil_clause: 'prelinking is enabled' + +ocil: |- + To determine if prelinking is disabled, run the following command: +
$ grep PRELINKING /etc/sysconfig/prelink
+ If prelinking is disabled, the output should contain the following line: +
PRELINKING=no
+ Alternatively, if the prelink package is not installed, prelinking is + not enabled and the rule is also satisfied. From f42410381811f358a019121a40ce371d6326ffca Mon Sep 17 00:00:00 2001 From: Eran Markus Date: Sun, 7 Jun 2026 08:43:55 +0300 Subject: [PATCH 2/2] Lead prelink OCIL with package-installed check Address review feedback: check whether the prelink package is installed before grepping /etc/sysconfig/prelink. This matches the OVAL check's OR structure (package not installed OR PRELINKING=no) and avoids a missing /etc/sysconfig/prelink looking like a failure when prelink is absent. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../system/software/integrity/disable_prelink/rule.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml index 63374db4cb0c..22e92b957de6 100644 --- a/linux_os/guide/system/software/integrity/disable_prelink/rule.yml +++ b/linux_os/guide/system/software/integrity/disable_prelink/rule.yml @@ -41,9 +41,12 @@ references: ocil_clause: 'prelinking is enabled' ocil: |- - To determine if prelinking is disabled, run the following command: + To determine if prelinking is disabled, first check whether the + prelink package is installed by running the following command: +
$ rpm -q prelink
+ If the package is not installed, prelinking is not enabled and the rule is + satisfied. If the prelink package is installed, verify that prelinking + is disabled by running the following command:
$ grep PRELINKING /etc/sysconfig/prelink
If prelinking is disabled, the output should contain the following line:
PRELINKING=no
- Alternatively, if the prelink package is not installed, prelinking is - not enabled and the rule is also satisfied.