ComplianceAsCode · Mab879 · Mar 23, 2026 · Mar 16, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/components/bash.yml b/components/bash.yml
@@ -3,6 +3,7 @@ packages:
 - bash
 rules:
 - accounts_umask_etc_bashrc
+- file_permission_user_bash_history
 - accounts_umask_etc_csh_cshrc
 - accounts_umask_etc_profile
 - accounts_umask_root
diff --git a/components/krb5.yml b/components/krb5.yml
@@ -3,9 +3,11 @@ groups:
 name: krb5
 packages:
 - krb5
+- krb5-libs
 - krb5-server
 - krb5-workstation
 rules:
+- configure_kerberos_crypto_policy
 - kerberos_disable_no_keytab
 - package_krb5-server_removed
 - package_krb5-workstation_removed
diff --git a/components/openssh.yml b/components/openssh.yml
@@ -94,6 +94,8 @@ rules:
 - sshd_use_strong_rng
 - sshd_x11_use_localhost
 - sshd_include_crypto_policy
+- harden_sshd_ciphers_openssh_conf_crypto_policy
 - harden_sshd_crypto_policy
+- harden_sshd_macs_openssh_conf_crypto_policy
 templates:
 - sshd_lineinfile
diff --git a/components/openssl.yml b/components/openssl.yml
@@ -4,5 +4,7 @@ name: openssl
 packages:
 - openssl
 rules:
+- configure_openssl_crypto_policy
+- configure_openssl_tls_crypto_policy
 - only_allow_dod_certs
 - only_allow_specific_certs
diff --git a/components/pam.yml b/components/pam.yml
@@ -112,6 +112,7 @@ rules:
 - ensure_root_password_configured
 - ensure_shadow_group_empty
 - ensure_sudo_group_restricted
+- file_etc_security_opasswd
 - file_groupowner_etc_issue
 - file_groupowner_etc_issue_net
 - file_groupowner_etc_motd
@@ -121,7 +122,6 @@ rules:
 - file_owner_etc_motd
 - file_ownership_home_directories
 - file_ownership_lastlog
-- file_permission_user_bash_history
 - file_permissions_etc_issue
 - file_permissions_etc_issue_net
 - file_permissions_etc_motd

diff --git a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/rule.yml b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/rule.yml
@@ -41,3 +41,5 @@ ocil: |-
     <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre>
     The output should return:
     <pre>USELDAPAUTH=yes</pre>
+
+platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
@@ -33,3 +33,5 @@ template:
     name: package_installed
     vars:
         pkgname: openssh-clients
+
+platform: system_with_kernel
diff --git a/linux_os/guide/services/ssh/ssh_client/group.yml b/linux_os/guide/services/ssh/ssh_client/group.yml
@@ -9,3 +9,5 @@ description: |-
     influence only the default SSH client configuration. Changes in this group
     can be overridden by the client user by modifying files within the
     <pre>~/.ssh</pre> directory or by supplying parameters on the command line.
+
+platform: package[openssh-clients]
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_bash_history/rule.yml
@@ -32,3 +32,5 @@ fixtext: |-
     Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
 
     $ sudo chmod 0600 /home/smithj/.bash_history
+
+platform: package[bash]
diff --git a/.../permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/.../permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml
@@ -32,3 +32,5 @@ ocil: |-
     {{{ ocil_file_owner(file="/etc/security/opasswd", owner="root") }}}
     {{{ ocil_file_group_owner(file="/etc/security/opasswd", group="root") }}}
     {{{ ocil_file_permissions(file="/etc/security/opasswd", perms="0600") }}}
+
+platform: package[pam]
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
@@ -43,3 +43,5 @@ fixtext: |-
     $ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
 
 srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'
+
+platform: package[krb5-libs]
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 
 rm -f /etc/krb5.conf.d/crypto-policies
 ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 
 rm -f /etc/krb5.conf.d/crypto-policies
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,multi_platform_rhel
 
 rm -f /etc/krb5.conf.d/crypto-policies
 ln -s /etc/crypto-policies/back-ends/openssh.config /etc/krb5.conf.d/crypto-policies
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -65,3 +65,5 @@ fixtext: |-
 
 srg_requirement: |-
     {{{ full_name }}} must implement approved encryption in the OpenSSL package.
+
+platform: package[openssl]
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
@@ -68,3 +68,5 @@ warnings:
 
 srg_requirement: |-
     {{{ full_name }}} must use at minimum TLSv1.2 for TLS connections.
+
+platform: package[openssl]
diff --git a/.../system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/.../system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -59,3 +59,5 @@ warnings:
         party review by an accredited lab. While open source software is
         capable of meeting this, it does not meet FIPS-140 unless the vendor
         submits to this process.
+
+platform: package[openssh]
diff --git a/...ide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/...ide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -58,3 +58,5 @@ warnings:
         party review by an accredited lab. While open source software is
         capable of meeting this, it does not meet FIPS-140 unless the vendor
         submits to this process.
+
+platform: package[openssh]
diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml
@@ -37,3 +37,5 @@ template:
     name: package_installed
     vars:
         pkgname: gnutls-utils
+
+platform: system_with_kernel
diff --git a/...ystem/software/system-tools/package_libdnf-plugin-subscription-manager_installed/rule.yml b/...ystem/software/system-tools/package_libdnf-plugin-subscription-manager_installed/rule.yml
@@ -29,3 +29,5 @@ template:
     name: package_installed
     vars:
         pkgname: libdnf-plugin-subscription-manager
+
+platform: package[dnf]
diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml
@@ -36,3 +36,5 @@ template:
     name: package_installed
     vars:
         pkgname: nss-tools
+
+platform: system_with_kernel
diff --git a/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_openscap-scanner_installed/rule.yml
@@ -35,3 +35,5 @@ template:
     name: package_installed
     vars:
         pkgname: openscap-scanner
+
+platform: system_with_kernel
diff --git a/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_scap-security-guide_installed/rule.yml
@@ -40,3 +40,5 @@ template:
     name: package_installed
     vars:
         pkgname: scap-security-guide
+
+platform: system_with_kernel
diff --git a/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_sequoia-sq_installed/rule.yml
@@ -30,3 +30,5 @@ template:
     name: package_installed
     vars:
         pkgname: sequoia-sq
+
+platform: system_with_kernel
diff --git a/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_subscription-manager_installed/rule.yml
@@ -44,3 +44,5 @@ fixtext: |-
     {{{ describe_package_install(package="subscription-manager") }}}
 
 srg_requirement: '{{{ srg_requirement_package_installed("subscription-manager") }}}'
+
+platform: system_with_kernel
diff --git a/linux_os/guide/system/software/updating/disable_weak_deps/rule.yml b/linux_os/guide/system/software/updating/disable_weak_deps/rule.yml
@@ -23,3 +23,5 @@ ocil: |-
     <pre># grep -Pi -- '^\h*install_weak_deps\h*=\h*(0|false|no)\b' /etc/dnf/dnf.conf</pre>
     The output should return the following:
     <pre>install_weak_deps = 0</pre>
+
+platform: package[dnf]
diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
@@ -50,6 +50,8 @@ args:
     {{% endif %}}
   iptables:
     pkgname: iptables
+  krb5-libs:
+    pkgname: krb5-libs
   libpwquality:
     {{% if 'debian' in product or 'sle' in product or 'slmicro' in product or 'ubuntu' in product %}}
     pkgname: libpwquality1
@@ -95,8 +97,12 @@ args:
     title: NTP daemon and utilities
   openssh:
     pkgname: openssh
+  openssh-clients:
+    pkgname: openssh-clients
   openssh-server:
     pkgname: openssh-server
+  openssl:
+    pkgname: openssl
   pam:
     {{% if pkg_system == "rpm" %}}
       pkgname: pam
Original file line number	Diff line number	Diff line change
Expand Up		@@ -32,3 +32,5 @@ fixtext: \|-
		Note: The example will be for the smithj user, who has a home directory of "/home/smithj".

		$ sudo chmod 0600 /home/smithj/.bash_history

		platform: package[bash]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -43,3 +43,5 @@ fixtext: \|-
		$ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies

		srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'

		platform: package[krb5-libs]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -65,3 +65,5 @@ fixtext: \|-

		srg_requirement: \|-
		{{{ full_name }}} must implement approved encryption in the OpenSSL package.

		platform: package[openssl]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -68,3 +68,5 @@ warnings:

		srg_requirement: \|-
		{{{ full_name }}} must use at minimum TLSv1.2 for TLS connections.

		platform: package[openssl]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -44,3 +44,5 @@ fixtext: \|-
		{{{ describe_package_install(package="subscription-manager") }}}

		srg_requirement: '{{{ srg_requirement_package_installed("subscription-manager") }}}'

		platform: system_with_kernel