Merge branch 'add-alma9' of github.com:sej7278/cac-content into add-a…

…lma9

.github/workflows/gate.yaml

@@ -88,7 +88,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install deps python
@@ -107,7 +107,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install deps python
@@ -126,7 +126,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install cmake ninja-build openscap-utils libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build openscap-utils libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install deps python
@@ -180,8 +180,8 @@ jobs:
     name: Build on Windows
     runs-on: windows-latest
     env:
-      OPENSCAP_VERSION: "1.4.1"
-      OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.1"
+      OPENSCAP_VERSION: "1.4.2"
+      OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.2"
     steps:
         - name: Install Deps
           run: choco install xsltproc

.github/workflows/k8s-content-pr.yaml

@@ -63,7 +63,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
       - name: Docker metadata
@@ -84,7 +84,7 @@ jobs:
             org.opencontainers.image.vendor='Compliance Operator Authors'
       - name: Build container images and push
         id: docker_build
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6
         with:
           context: .
           file: ./Dockerfiles/ocp4_content

.github/workflows/release.yaml

@@ -45,7 +45,7 @@ jobs:
         env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Release
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           draft: True
           name: Content ${{ steps.set_version.outputs.ver }}

controls/ism_o.yml

@@ -31,7 +31,7 @@ controls:
             - set_password_hashing_algorithm_passwordauth
             - set_password_hashing_algorithm_systemauth
             - sshd_disable_gssapi_auth
-            - var_password_hashing_algorithm_pam=sha512
+            - var_password_hashing_algorithm_pam=yescrypt
         status: automated
 
     -   id: '0421'

controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml

@@ -10,7 +10,6 @@ controls:
             - var_password_pam_maxclassrepeat=3
             - var_password_pam_dictcheck=1
             - accounts_password_pam_dictcheck
-            - var_password_hashing_algorithm_pam=sha512
-            - var_password_pam_unix_rounds=5000
+            - var_password_pam_unix_rounds=5
             - var_password_pam_remember=5
             - var_password_pam_remember_control_flag=requisite_or_required

linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/oval/shared.xml

@@ -0,0 +1,72 @@
+<def-group>
+
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("/etc/chrony.keys should be owned by chrony group") }}}
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles" negate="true"
+          comment="The /etc/nsswitch.conf does not use nss-altfiles"/>
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys"
+          comment="Check group ownership of /etc/chrony.keys"/>
+      </criteria>
+      <criteria operator="AND">
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles"
+          comment="The /etc/nsswitch.conf uses nss-altfiles"/>
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys_with_usrlib"
+          comment="Check group ownership of /etc/chrony.keys"/>
+      </criteria>
+    </criteria>
+  </definition>
+
+{{{ oval_test_nsswitch_uses_altfiles() }}}
+
+  <unix:file_test id="test_file_groupowner_etc_chrony_keys" version="1" check="all" comment="Testing group ownership of /etc/chrony.keys" check_existence="none_exist" state_operator="AND">
+    <unix:object object_ref="object_file_groupowner_etc_chrony_keys" />
+  </unix:file_test>
+  <unix:file_object id="object_file_groupowner_etc_chrony_keys" version="1" comment="/etc/chrony.keys">
+    <unix:filepath>/etc/chrony.keys</unix:filepath>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_uid_chrony</filter>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_gid_chrony</filter>
+  </unix:file_object>
+  <ind:textfilecontent54_object id="object_file_groupowner_etc_chrony_keys_etc_group" version="1" comment="gid of the dedicated chrony group">
+    <ind:filepath>/etc/group</ind:filepath>
+    <ind:pattern operation="pattern match">^chrony:\w+:(\w+):.*</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <unix:file_state id="state_file_groupowner_etc_chrony_keys_gid_chrony" version="1" operator="AND">
+    <unix:group_id datatype="int" var_ref="var_dedicated_groupowner_etc_chrony_keys_uid_chrony" />
+  </unix:file_state>
+  <unix:file_state id="state_file_groupowner_etc_chrony_keys_uid_chrony" version="1" operator="AND">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
+  <local_variable id="var_dedicated_groupowner_etc_chrony_keys_uid_chrony" version="1" datatype="int" comment="gid of the dedicated chrony group">
+    <object_component item_field="subexpression" object_ref="object_file_groupowner_etc_chrony_keys_etc_group" />
+  </local_variable>
+
+  <unix:file_test id="test_file_groupowner_etc_chrony_keys_with_usrlib" version="1" check="all" comment="Testing group ownership of /etc/chrony.keys" check_existence="none_exist" state_operator="AND">
+    <unix:object object_ref="object_file_groupowner_etc_chrony_keys_with_usrlib" />
+  </unix:file_test>
+  <unix:file_object id="object_file_groupowner_etc_chrony_keys_with_usrlib" version="1" comment="/etc/chrony.keys">
+    <unix:filepath>/etc/chrony.keys</unix:filepath>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_uid_chrony</filter>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_gid_chrony_with_usrlib</filter>
+  </unix:file_object>
+  <ind:textfilecontent54_object id="object_file_groupowner_etc_chrony_keys_etc_group_with_usrlib" version="1" comment="gid of the dedicated chrony group">
+    <set>
+      <object_reference>object_file_groupowner_etc_chrony_keys_etc_group</object_reference>
+      <object_reference>object_file_groupowner_etc_chrony_keys_usr_lib_group</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="object_file_groupowner_etc_chrony_keys_usr_lib_group" version="1">
+    <ind:filepath>/usr/lib/group</ind:filepath>
+    <ind:pattern operation="pattern match">^chrony:\w+:(\w+):.*</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <unix:file_state id="state_file_groupowner_etc_chrony_keys_gid_chrony_with_usrlib" version="1" operator="AND">
+    <unix:group_id datatype="int" var_ref="var_dedicated_groupowner_etc_chrony_keys_uid_chrony_with_usrlib" />
+  </unix:file_state>
+  <local_variable id="var_dedicated_groupowner_etc_chrony_keys_uid_chrony_with_usrlib" version="1" datatype="int" comment="gid of the dedicated chrony group">
+    <object_component item_field="subexpression" object_ref="object_file_groupowner_etc_chrony_keys_etc_group_with_usrlib" />
+  </local_variable>
+
+</def-group>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml

@@ -54,7 +54,6 @@ references:
     nist@sle15: IA-5(1)(e),IA-5(1).1(v)
     pcidss: Req-8.2.5
     srg: SRG-OS-000077-GPOS-00045
-    stigid@rhel8: RHEL-08-020220
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml

@@ -54,7 +54,6 @@ references:
     nist@sle15: IA-5(1)(e),IA-5(1).1(v)
     pcidss: Req-8.2.5
     srg: SRG-OS-000077-GPOS-00045
-    stigid@rhel8: RHEL-08-020221
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml

@@ -5,7 +5,7 @@
 # disruption = medium
 {{% if 'ubuntu' in product %}}
 {{% set configuration_files = ["common-password"] %}}
-{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+{{% elif product in ['ol8', 'ol9'] or 'rhel' in product %}}
 {{% set configuration_files = ["password-auth","system-auth"] %}}
 {{% else %}}
 {{% set configuration_files = ["system-auth"] %}}

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = multi_platform_all
 
-{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+{{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
 {{% set configuration_files = ["password-auth","system-auth"] %}}
 {{% else %}}
 {{% set configuration_files = ["system-auth"] %}}
@@ -9,7 +9,7 @@
 
 {{{ bash_instantiate_variables("var_password_pam_retry") }}}
 
-{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] -%}}
+{{% if product in ['ol8', 'ol9'] or 'rhel' in product -%}}
 	{{{ bash_replace_or_append('/etc/security/pwquality.conf',
 							   '^retry',
 							   '$var_password_pam_retry',

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml

@@ -1,6 +1,6 @@
 {{% if 'ubuntu' in product or 'debian' in product %}}
 {{% set configuration_files = ["common-password"] %}}
-{{% elif product in ['ol8','ol9','rhel8', 'rhel9'] %}}
+{{% elif product in ['ol8','ol9'] or 'rhel' in product %}}
 {{% set configuration_files = ["password-auth","system-auth"] %}}
 {{% else %}}
 {{% set configuration_files = ["system-auth"] %}}
@@ -17,7 +17,7 @@
       </criteria>
       <criteria operator="AND" comment="Conditions for retry in pwquality.conf file are satisfied">
         {{% for file in configuration_files %}}
-        <criterion 
+        <criterion
         comment="retry value not set in PAM files"
         test_ref="test_password_pam_pwquality_retry_{{{ (file | escape_id) }}}_not_set"/>
         {{% endfor %}}

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml

@@ -5,7 +5,7 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
 
 description: |-
     To configure the number of retry prompts that are permitted per-session:
-    {{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+    {{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
     Edit the <tt>/etc/security/pwquality.conf</tt> to include
     {{% else %}}
     Edit the <tt>pam_pwquality.so</tt> statement in
@@ -56,7 +56,7 @@ ocil_clause: 'the value of "retry" is set to "0" or greater than "{{{ xccdf_valu
 ocil: |-
     Verify {{{ full_name }}} is configured to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
 
-    {{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+    {{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
     Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
     <pre>$ grep retry /etc/security/pwquality.conf</pre>
     {{% else %}}
@@ -75,7 +75,7 @@ platform: package[pam]
 fixtext: |-
     Configure {{{ full_name }}} to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
 
-    {{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+    {{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
     Add the following line to the "/etc/security/pwquality.conf" file (or modify the line to have the required value):
 
     retry={{{ xccdf_value("var_password_pam_retry") }}}

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh

@@ -1,13 +1,13 @@
 {{% if 'ubuntu' in product %}}
 configuration_files=("common-password")
-{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+{{% elif product in ['ol8', 'ol9'] or 'rhel' in product %}}
 configuration_files=("password-auth" "system-auth")
 {{% else %}}
 configuration_files=("system-auth")
 {{% endif %}}
 
 
-{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+{{% if product in ['ol8', 'ol9'] or 'rhel' in product %}}
 authselect create-profile testingProfile --base-on sssd
 
 for file in ${configuration_files[@]}; do

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_commented.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 # variables = var_password_pam_retry=3
 
 source common.sh

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct.pass.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 # variables = var_password_pam_retry=3
 
 source common.sh

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_correct_with_space.pass.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 # variables = var_password_pam_retry=3
 
 source common.sh

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_overriden.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 # variables = var_password_pam_retry=3
 
 source common.sh

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/pwquality_conf_wrong.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 # variables = var_password_pam_retry=3
 
 source common.sh

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/rule.yml

@@ -63,7 +63,7 @@ ocil: |-
 
 platform: package[pam]
 
-{{% if product in ['ol9', 'rhel9'] %}}
+{{% if product in ['ol9', 'rhel9', 'rhel10'] %}}
 srg_requirement: 'The {{{ full_name }}} pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.'
 
 fixtext: |-

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_correct_value.pass.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
 # variables = var_password_hashing_algorithm_pam=sha512
 
 authselect create-profile hardening -b sssd

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_incorrect_option.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
 # variables = var_password_hashing_algorithm_pam=sha512
 
 authselect create-profile hardening -b sssd

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_missing_option.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
 # variables = var_password_hashing_algorithm_pam=sha512
 
 authselect create-profile hardening -b sssd

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_modified_pam.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
 # variables = var_password_hashing_algorithm_pam=sha512
 # remediation = none
 

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_multiple_options.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
 # variables = var_password_hashing_algorithm_pam=sha512
 
 authselect create-profile hardening -b sssd

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/tests/authselect_wrong_control.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = authselect
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_rhel,multi_platform_fedora
 # variables = var_password_hashing_algorithm_pam=sha512
 
 authselect create-profile hardening -b sssd

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh

@@ -4,13 +4,13 @@
 
 {{% if 'sle' in product or 'slmicro' in product -%}}
 PAM_FILE_PATH="/etc/pam.d/common-password"
-CONTROL="required"
+{{% set control = "required" %}}
 {{%- elif 'ubuntu' in product -%}}
 {{{ bash_pam_unix_enable() }}}
 PAM_FILE_PATH=/usr/share/pam-configs/cac_unix
 {{%- else -%}}
 PAM_FILE_PATH="/etc/pam.d/system-auth"
-CONTROL="sufficient"
+{{% set control = "sufficient" %}}
 {{%- endif %}}
 
 {{% if 'ubuntu' in product -%}}
@@ -31,7 +31,7 @@ if ! grep -qzP "Password-Initial:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_ha
 fi
 
 {{%- else -%}}
-{{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', "$CONTROL", 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}
+{{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', control, 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}
 {{%- endif %}}
 
 # Ensure only the correct hashing algorithm option is used.

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml

@@ -90,7 +90,7 @@ ocil: |-
 platform: package[pam]
 
 fixtext: |-
-    {{% if product in ['ol9', 'rhel9', 'ubuntu2204', 'ubuntu2404'] -%}}
+    {{% if product in ['ol9', 'rhel9', 'rhel10', 'ubuntu2204', 'ubuntu2404'] -%}}
     Configure {{{ full_name }}} to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
     {{% else %}}
     Configure {{{ full_name }}} to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
@@ -106,7 +106,7 @@ fixtext: |-
     password sufficient pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
     {{%- endif %}}
 
-{{% if product in ['ol9', 'rhel9'] -%}}
+{{% if product in ['ol9', 'rhel9', 'rhel10'] -%}}
 srg_requirement: 'The {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.'
 {{%- endif %}}