ComplianceAsCode · Mab879 · May 13, 2026
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -63,7 +63,7 @@
    # From ANSSI DAT-24
    # R11 Password protect the BIOS
    # R12 Deactivate peripherals not needed
    # R13 The boot order list should give highest preference to component on which final OS is installed
    # R14 Enable NX/XD bit
    # - bios_enable_execution_restrictions  # Doesn't have check
    # R15 Disable VT-x/AMD-V functionality
@@ -79,7 +79,7 @@
          Enabling Secure Boot can't be accomplished from the operating system.
          Also, OVAL doesn't provide any reliable ways to detect the Secure Boot status.
          Therefore, we will not provide any rules to automate this requirement.
          We recommend checking the Secure Boot status using the `mokutil --sb-state` or `bootctl status`
          commands.
      status: manual

@@ -120,9 +120,9 @@
          It is recommended that UEFI Secure Boot is used to protect the Linux Kernel
          command line parameters during boot.
      notes: >-
          To protect the Linux Kernel command line one needs to create an Unified Kernel Image and use
          it with the UEFI Secure Boot mechanism.
          To check if the Kernel image contains the kernel command one needs to inspect the binary, on
          the command line one can use the objdump command. But unfortunately OVAL is not able to
          inspect kernel images.
          Also, it is not trivial to automate creation of such image or configuration of the
@@ -152,7 +152,7 @@
          - grub2_l1tf_argument
          - var_l1tf_options=full_force

          # page_poison=on: activate the poisoning of the pages of the page allocator (buddy allocator)
          - grub2_page_poison_argument

          # pti=on: force the use of Page Table Isolation (PTI) including on processors claiming
@@ -163,16 +163,16 @@
          # slab caches (dynamic memory allocations) of identical size.
          - grub2_slab_nomerge_argument

          # slub_debug=F,Z,P: activate certain options for checking slabs caches (dynamic memory allocation)
          - grub2_slub_debug_argument
          - var_slub_debug_options=FZP

          # spec_store_bypass_disable=seccomp: force the system to use the default countermeasure
          # (on an x86 system supporting seccomp) for the Specter v4 (Speculative Store Bypass) vulnerability
          - grub2_spec_store_bypass_disable_argument
          - var_spec_store_bypass_disable_options=seccomp

          # spectre_v2=on: force the system to use a countermeasure for the Specter v2 (Branch Target Injection) vulnerability.
          - grub2_spectre_v2_argument

          # mds=full,nosmt: force the system to use Microarchitectural Data Sampling (MDS) to
@@ -574,7 +574,7 @@
      levels:
          - high
      notes: >-
          If the system can function without support for kernel modules, module support should be disabled
          by setting CONFIG_MODULES=n.
      status: automated
      rules:
@@ -658,7 +658,7 @@
          - mount_option_tmp_nosuid
          - mount_option_tmp_noexec

          # /srv nosuid, nodev (noexec, optional ro) Contains files served by a service type web, ftp, etc
          - partition_for_srv
          - mount_option_srv_nosuid

@@ -1479,6 +1479,7 @@
           - ensure_logrotate_activated
 
           # Based on DAT-PA-012 R26, R27
+          - rsyslog_filecreatemode
           - rsyslog_files_ownership
           - rsyslog_files_groupownership
           - rsyslog_files_permissions

diff --git a/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml b/linux_os/guide/system/logging/rsyslog_filecreatemode/rule.yml
@@ -16,6 +16,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-88321-5
     cce@rhel9: CCE-88322-3
+    cce@rhel10: CCE-88611-9
     cce@sle15: CCE-92599-0
 
 ocil_clause: '$FileCreateMode is not set or is more permissive than 0640'

@@ -2494,8 +2494,8 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: supported
-      related_rules:
+      status: automated
+      rules:
           - rsyslog_filecreatemode
 
     - id: 6.2.3.5

@@ -207,6 +207,7 @@ controls:
           - package_libselinux_installed
           - package_mcstrans_removed
           - package_setroubleshoot_removed
+          - rsyslog_filecreatemode
           - rsyslog_files_groupownership
           - rsyslog_files_ownership
           - rsyslog_files_permissions

@@ -2428,8 +2428,8 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: supported
-      related_rules:
+      status: automated
+      rules:
           - rsyslog_filecreatemode
 
     - id: 6.2.3.5

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1078,7 +1078,6 @@ CCE-88607-7
 CCE-88608-5
 CCE-88609-3
 CCE-88610-1
-CCE-88611-9
 CCE-88612-7
 CCE-88614-3
 CCE-88615-0

@@ -230,6 +230,7 @@ partition_for_var_log_audit
 partition_for_var_tmp
 postfix_client_configure_mail_alias
 postfix_network_listening_disabled
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -296,6 +296,7 @@ partition_for_var_log_audit
 partition_for_var_tmp
 postfix_client_configure_mail_alias
 postfix_network_listening_disabled
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -360,6 +360,7 @@ partition_for_var_log_audit
 partition_for_var_tmp
 postfix_network_listening_disabled
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -254,6 +254,7 @@ partition_for_dev_shm
 partition_for_tmp
 postfix_network_listening_disabled
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -249,6 +249,7 @@ partition_for_dev_shm
 partition_for_tmp
 postfix_network_listening_disabled
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -357,6 +357,7 @@ partition_for_var_log_audit
 partition_for_var_tmp
 postfix_network_listening_disabled
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -239,6 +239,7 @@ partition_for_var_tmp
 postfix_client_configure_mail_alias
 postfix_network_listening_disabled
 prefer_64bit_os
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -309,6 +309,7 @@ partition_for_var_tmp
 postfix_client_configure_mail_alias
 postfix_network_listening_disabled
 prefer_64bit_os
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -223,6 +223,7 @@ partition_for_var_tmp
 postfix_client_configure_mail_alias
 postfix_network_listening_disabled
 prefer_64bit_os
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -297,6 +297,7 @@ partition_for_var_tmp
 postfix_client_configure_mail_alias
 postfix_network_listening_disabled
 prefer_64bit_os
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -329,6 +329,7 @@ partition_for_var_tmp
 postfix_network_listening_disabled
 root_path_all_dirs
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -229,6 +229,7 @@ partition_for_tmp
 postfix_network_listening_disabled
 root_path_all_dirs
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -225,6 +225,7 @@ partition_for_tmp
 postfix_network_listening_disabled
 root_path_all_dirs
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions

@@ -326,6 +326,7 @@ partition_for_var_tmp
 postfix_network_listening_disabled
 root_path_all_dirs
 root_path_no_dot
+rsyslog_filecreatemode
 rsyslog_files_groupownership
 rsyslog_files_ownership
 rsyslog_files_permissions