From ccdc71ecacac38504b31d53d24d27e9f9db9645a Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 11:14:11 +0100
Subject: [PATCH 1/8] Update file_permissions_systemmap rule

Updated rule description and used the file_permissions template.
---
 .../files/file_permissions_systemmap/rule.yml | 29 ++++++++++++++-----
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
index 3f83fcd33dd..17a4db22979 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
@@ -1,22 +1,35 @@
 documentation_complete: true
 
-title: 'Verify that local System.map file (if exists) is readable only by root'
+title: 'Verify Permissions on System.map Files'
 
 description: |-
-    Files containing sensitive informations should be protected by restrictive
-      permissions. Most of the time, there is no need that these files need to be read by any non-root user
-    {{{ describe_file_permissions(file="/boot/System.map-*", perms="0600") }}}
+    The System.map files are symbol map files generated during the compilation of the Linux
+    kernel. They contain the mapping between kernel symbols and their corresponding memory
+    addresses. In general, there is no need for non-root users to read these files.
+
+    {{{ describe_file_permissions(file="/boot/System.map*", perms="0600") }}}
 
 rationale: |-
-    The <tt>System.map</tt> file contains information about kernel symbols and
-      can give some hints to generate local exploitation.
+    The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
+    Unrestricted access to these files might disclosure information useful to attackers and
+    malicious software leading to more sophisticated exploitation.
 
-severity: unknown
+severity: low
 
 identifiers:
     cce@rhel7: CCE-82350-0
     cce@rhel8: CCE-82892-1
 
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/boot/Sysem.map-*", perms="-rw-------") }}}
+    {{{ ocil_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /boot/
+        file_regex: ^.*System\.map.*$
+        filemode: '0600'
+        allow_stricter_permissions: 'true'
+        missing_file_pass: 'true'

From 4fb529229520ad838c8f6e561d40b6c2fff4a5e5 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 11:30:07 +0100
Subject: [PATCH 2/8] Remove local OVAL in favor of template

---
 .../oval/shared.xml                           | 40 -------------------
 1 file changed, 40 deletions(-)
 delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml

diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml
deleted file mode 100644
index d6140d865da..00000000000
--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<def-group>
-  <definition class="compliance" id="file_permissions_systemmap" version="1">
-    {{{ oval_metadata("
-        Checks that /boot/System.map-* are only readable by root.
-      ") }}}
-    <criteria operator="AND">
-      <criterion test_ref="test_permissions_systemmap_files" />
-    </criteria>
-  </definition>
-
-  <unix:file_test  check="all" check_existence="all_exist" comment="system.map files readable only by root" id="test_permissions_systemmap_files" version="1">
-    <unix:object object_ref="object_file_permissions_systemmap_files" />
-    <unix:state state_ref="state_owner_systemmap" />
-    <unix:state state_ref="state_file_permissions_systemmap" />
-  </unix:file_test>
-
-  <unix:file_object comment="system.mapfiles" id="object_file_permissions_systemmap_files" version="1">
-    <!-- Check that /boot/System.map-* files is readable only by root -->
-    <unix:path>/boot</unix:path>
-    <unix:filename operation="pattern match">^System\.map.*$</unix:filename>
-  </unix:file_object>
-
-  <unix:file_state id="state_owner_systemmap" version="1">
-    <unix:user_id datatype="int" operation="equals">0</unix:user_id>
-  </unix:file_state>
-
-  <unix:file_state id="state_file_permissions_systemmap" version="1">
-    <unix:suid datatype="boolean">false</unix:suid>
-    <unix:sgid datatype="boolean">false</unix:sgid>
-    <unix:sticky datatype="boolean">false</unix:sticky>
-    <unix:uexec datatype="boolean">false</unix:uexec>
-    <unix:gread datatype="boolean">false</unix:gread>
-    <unix:gwrite datatype="boolean">false</unix:gwrite>
-    <unix:gexec datatype="boolean">false</unix:gexec>
-    <unix:oread datatype="boolean">false</unix:oread>
-    <unix:owrite datatype="boolean">false</unix:owrite>
-    <unix:oexec datatype="boolean">false</unix:oexec>
-  </unix:file_state>
-
-</def-group>

From e7f8a83fb3ce81ac10be97f1f2e1fbae5efa86c9 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 12:18:36 +0100
Subject: [PATCH 3/8] Ensure proper test scenarios for templated rule

The file_permissions_systemmap rule is using the file_permissions
template, which can't safely manage test scenarios with regex.
---
 .../tests/correct_multiple_files.pass.sh                   | 5 +++++
 .../tests/correct_permissions.pass.sh                      | 4 ++++
 .../tests/lenient_multiple_files.fail.sh                   | 7 +++++++
 .../tests/lenient_permissions.fail.sh                      | 4 ++++
 .../tests/missing_file_test.pass.sh                        | 3 +++
 .../tests/stricter_permisions.pass.sh                      | 4 ++++
 6 files changed, 27 insertions(+)
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_multiple_files.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_permissions.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_multiple_files.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_permissions.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/missing_file_test.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/stricter_permisions.pass.sh

diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_multiple_files.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_multiple_files.pass.sh
new file mode 100644
index 00000000000..a0c893d84b6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_multiple_files.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+mktemp -p /boot System.map-5.99.0-XXX
+chmod 0600 /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_permissions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_permissions.pass.sh
new file mode 100644
index 00000000000..0cf9cc51f35
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/correct_permissions.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chmod 0600 /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_multiple_files.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_multiple_files.fail.sh
new file mode 100644
index 00000000000..214562466c0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_multiple_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+FAKE_FILE1=$(mktemp -p /boot System.map-5.99.0-XXX)
+chmod 0600 $FAKE_FILE1
+
+FAKE_FILE2=$(mktemp -p /boot System.map-5.99.0-XXX)
+chmod 0644 $FAKE_FILE2
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_permissions.fail.sh
new file mode 100644
index 00000000000..d33bf01fcf0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/lenient_permissions.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+FAKE_FILE=$(mktemp -p /boot System.map-5.99.0-XXX)
+chmod 0644 $FAKE_FILE
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/missing_file_test.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/missing_file_test.pass.sh
new file mode 100644
index 00000000000..2e51f833751
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/missing_file_test.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/stricter_permisions.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/stricter_permisions.pass.sh
new file mode 100644
index 00000000000..a0b8c05cecb
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/tests/stricter_permisions.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chmod 0400 /boot/System.map*

From 5cbc4dbd60aaf142dccb6a5c8552dfcd93286dc0 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 12:59:35 +0100
Subject: [PATCH 4/8] New templated rule file_owner_systemmap

---
 components/filesystem.yml                     |  1 +
 .../files/file_owner_systemmap/rule.yml       | 35 +++++++++++++++++++
 .../tests/correct_owner.pass.sh               |  4 +++
 .../correct_owner_multiple_files.pass.sh      |  5 +++
 .../tests/incorrect_owner.fail.sh             |  4 +++
 .../incorrect_owner_multiple_files.fail.sh    |  7 ++++
 .../tests/missing_file_test.pass.sh           |  3 ++
 shared/references/cce-redhat-avail.txt        |  3 --
 8 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
 create mode 100644 linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner_multiple_files.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner_multiple_files.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_owner_systemmap/tests/missing_file_test.pass.sh

diff --git a/components/filesystem.yml b/components/filesystem.yml
index 35ff26a0907..063caeaffd4 100644
--- a/components/filesystem.yml
+++ b/components/filesystem.yml
@@ -51,6 +51,7 @@ rules:
 - file_owner_etc_passwd
 - file_owner_etc_shells
 - file_owner_etc_shadow
+- file_owner_systemmap
 - file_owner_var_log
 - file_owner_var_log_messages
 - file_owner_var_log_syslog
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
new file mode 100644
index 00000000000..ebd6106de36
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns System.map Files'
+
+description: |-
+    The System.map files are symbol map files generated during the compilation of the Linux
+    kernel. They contain the mapping between kernel symbols and their corresponding memory
+    addresses. These files must be owned by root.
+
+    {{{ describe_file_owner(file="/boot/System.map*", owner="root") }}}
+
+rationale: |-
+    The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
+    Unrestricted access to these files might disclosure information useful to attackers and
+    malicious software leading to more sophisticated exploitation.
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-86585-7
+    cce@rhel8: CCE-86586-5
+    cce@rhel9: CCE-86587-3
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/System.map*", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/boot/System.map*", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath: /boot/
+        file_regex: ^.*System\.map.*$
+        fileuid: '0'
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner.pass.sh
new file mode 100644
index 00000000000..a103dfcee39
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chown root /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner_multiple_files.pass.sh b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner_multiple_files.pass.sh
new file mode 100644
index 00000000000..c9ee6abd04c
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/correct_owner_multiple_files.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+mktemp -p /boot System.map-5.99.0-XXX
+chown root /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner.fail.sh
new file mode 100644
index 00000000000..e6af0371eb6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+FAKE_FILE=$(mktemp -p /boot System.map-5.99.0-XXX)
+chown 5 $FAKE_FILE
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner_multiple_files.fail.sh b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner_multiple_files.fail.sh
new file mode 100644
index 00000000000..402929da102
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/incorrect_owner_multiple_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+FAKE_FILE1=$(mktemp -p /boot System.map-5.99.0-XXX)
+chown root $FAKE_FILE1
+
+FAKE_FILE2=$(mktemp -p /boot System.map-5.99.0-XXX)
+chown 5 $FAKE_FILE2
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/missing_file_test.pass.sh b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/missing_file_test.pass.sh
new file mode 100644
index 00000000000..2e51f833751
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/tests/missing_file_test.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /boot/System.map*
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 8b7712fb422..b45418d1c17 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -148,9 +148,6 @@ CCE-86581-6
 CCE-86582-4
 CCE-86583-2
 CCE-86584-0
-CCE-86585-7
-CCE-86586-5
-CCE-86587-3
 CCE-86589-9
 CCE-86590-7
 CCE-86591-5

From 0316943a723ea6a60b846c35f0fd688d521c0b47 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 13:17:26 +0100
Subject: [PATCH 5/8] New templated rule file_groupowner_systemmap

---
 components/filesystem.yml                     |  1 +
 .../files/file_groupowner_systemmap/rule.yml  | 35 +++++++++++++++++++
 .../tests/correct_groupowner.pass.sh          |  4 +++
 .../correct_groupowner_multiple_files.pass.sh |  5 +++
 .../tests/incorrect_groupowner.fail.sh        |  4 +++
 ...ncorrect_groupowner_multiple_files.fail.sh |  7 ++++
 .../tests/missing_file_test.pass.sh           |  3 ++
 shared/references/cce-redhat-avail.txt        |  3 --
 8 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
 create mode 100644 linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner_multiple_files.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner_multiple_files.fail.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/missing_file_test.pass.sh

diff --git a/components/filesystem.yml b/components/filesystem.yml
index 063caeaffd4..dfa22e9730b 100644
--- a/components/filesystem.yml
+++ b/components/filesystem.yml
@@ -36,6 +36,7 @@ rules:
 - file_groupowner_etc_passwd
 - file_groupowner_etc_shadow
 - file_groupowner_etc_shells
+- file_groupowner_systemmap
 - file_groupowner_var_log
 - file_groupowner_var_log_messages
 - file_groupowner_var_log_syslog
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
new file mode 100644
index 00000000000..833507cd517
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns System.map Files'
+
+description: |-
+    The System.map files are symbol map files generated during the compilation of the Linux
+    kernel. They contain the mapping between kernel symbols and their corresponding memory
+    addresses. These files must be group-owned by root.
+
+    {{{ describe_file_group_owner(file="/boot/System.map*", group="root") }}}
+
+rationale: |-
+    The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
+    Unrestricted access to these files might disclosure information useful to attackers and
+    malicious software leading to more sophisticated exploitation.
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-86582-4
+    cce@rhel8: CCE-86583-2
+    cce@rhel9: CCE-86584-0
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/System.map*", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/boot/System.map*", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /boot/
+        file_regex: ^.*System\.map.*$
+        gid_or_name: root
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner.pass.sh
new file mode 100644
index 00000000000..e20f401551a
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+chgrp root /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner_multiple_files.pass.sh b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner_multiple_files.pass.sh
new file mode 100644
index 00000000000..ef513651449
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/correct_groupowner_multiple_files.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mktemp -p /boot System.map-5.99.0-XXX
+mktemp -p /boot System.map-5.99.0-XXX
+chgrp root /boot/System.map*
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 00000000000..ce5f055e3f0
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+FAKE_FILE=$(mktemp -p /boot System.map-5.99.0-XXX)
+chgrp 5 $FAKE_FILE
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner_multiple_files.fail.sh b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner_multiple_files.fail.sh
new file mode 100644
index 00000000000..437c5ec0687
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/incorrect_groupowner_multiple_files.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+FAKE_FILE1=$(mktemp -p /boot System.map-5.99.0-XXX)
+chgrp root $FAKE_FILE1
+
+FAKE_FILE2=$(mktemp -p /boot System.map-5.99.0-XXX)
+chgrp 5 $FAKE_FILE2
diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/missing_file_test.pass.sh b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/missing_file_test.pass.sh
new file mode 100644
index 00000000000..2e51f833751
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/tests/missing_file_test.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f /boot/System.map*
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index b45418d1c17..e8621b2b401 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -145,9 +145,6 @@ CCE-86577-4
 CCE-86578-2
 CCE-86579-0
 CCE-86581-6
-CCE-86582-4
-CCE-86583-2
-CCE-86584-0
 CCE-86589-9
 CCE-86590-7
 CCE-86591-5

From 9dcc9de6ef4f0267eceb8eca26a748248f91257d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 13:24:22 +0100
Subject: [PATCH 6/8] Include RHEL9 CCE for file_permissions_systemmap

---
 .../system/permissions/files/file_permissions_systemmap/rule.yml | 1 +
 shared/references/cce-redhat-avail.txt                           | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
index 17a4db22979..456f07d19c2 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
@@ -19,6 +19,7 @@ severity: low
 identifiers:
     cce@rhel7: CCE-82350-0
     cce@rhel8: CCE-82892-1
+    cce@rhel9: CCE-86581-6
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}'
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index e8621b2b401..b30df489035 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -144,7 +144,6 @@ CCE-86576-6
 CCE-86577-4
 CCE-86578-2
 CCE-86579-0
-CCE-86581-6
 CCE-86589-9
 CCE-86590-7
 CCE-86591-5

From 9d9d81319f673b56d77330cca3d3cea14d6eb367 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 1 Mar 2024 13:28:33 +0100
Subject: [PATCH 7/8] Update ANSSI requirement R29

Rules related to System.map files are now complete.
The file_permissions_systemmap rule was also removed from the "default"
profile for RHEL products since it is now included in ANSSI control file.
---
 controls/anssi.yml                      | 6 ++++--
 products/rhel7/profiles/default.profile | 1 -
 products/rhel8/profiles/default.profile | 1 -
 products/rhel9/profiles/default.profile | 1 -
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 735e323efd4..3361bcd0c9e 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -696,7 +696,7 @@ controls:
       The /boot partition mounted is essential to perform certain administrative actions, for
       example updating the kernel. Therefore, for better stability, in this requirement only rules
       to restrict the access to /boot are selected. It is not changed how the /boot is mounted.
-    status: partial
+    status: automated
     rules:
       - file_groupowner_efi_grub2_cfg
       - file_groupowner_grub2_cfg
@@ -710,8 +710,10 @@ controls:
       - file_owner_user_cfg
       - file_permissions_efi_user_cfg
       - file_permissions_user_cfg
+      - file_groupowner_systemmap
+      - file_owner_systemmap
+      - file_permissions_systemmap
     related_rules:
-      - file_permissions_systemmap # missing remediation
       - mount_option_boot_noauto
 
   - id: R30
diff --git a/products/rhel7/profiles/default.profile b/products/rhel7/profiles/default.profile
index c6be9a58610..6f6f808b109 100644
--- a/products/rhel7/profiles/default.profile
+++ b/products/rhel7/profiles/default.profile
@@ -410,7 +410,6 @@ selections:
     - audit_rules_unsuccessful_file_modification_fchownat
     - sebool_openvpn_enable_homedirs
     - bios_disable_usb_boot
-    - file_permissions_systemmap
     - service_docker_enabled
     - file_owner_etc_hosts_allow
     - audit_rules_unsuccessful_file_modification_open_o_creat
diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile
index 127bef3cc12..b89cce7acbc 100644
--- a/products/rhel8/profiles/default.profile
+++ b/products/rhel8/profiles/default.profile
@@ -451,7 +451,6 @@ selections:
     - sebool_openvpn_enable_homedirs
     - zipl_enable_selinux
     - bios_disable_usb_boot
-    - file_permissions_systemmap
     - audit_rules_unsuccessful_file_modification_open_o_creat
     - kernel_config_ipv6
     - service_rpcgssd_disabled
diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile
index 3b07da302af..07ac0183a6f 100644
--- a/products/rhel9/profiles/default.profile
+++ b/products/rhel9/profiles/default.profile
@@ -370,7 +370,6 @@ selections:
     - audit_rules_unsuccessful_file_modification_fchownat
     - sebool_openvpn_enable_homedirs
     - zipl_enable_selinux
-    - file_permissions_systemmap
     - audit_rules_unsuccessful_file_modification_open_o_creat
     - kernel_config_ipv6
     - audit_rules_successful_file_modification_chown

From 87e45d2e312191270c2dc93fb7f936231d055cb0 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
Date: Fri, 1 Mar 2024 17:07:33 +0100
Subject: [PATCH 8/8] Apply suggestions from code review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Jan Černý <jcerny@redhat.com>
---
 .../system/permissions/files/file_groupowner_systemmap/rule.yml | 2 +-
 .../system/permissions/files/file_owner_systemmap/rule.yml      | 2 +-
 .../permissions/files/file_permissions_systemmap/rule.yml       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
index 833507cd517..81fe104ffe0 100644
--- a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml
@@ -11,7 +11,7 @@ description: |-
 
 rationale: |-
     The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
-    Unrestricted access to these files might disclosure information useful to attackers and
+    Unrestricted access to these files might disclose information useful to attackers and
     malicious software leading to more sophisticated exploitation.
 
 severity: low
diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
index ebd6106de36..8463baee299 100644
--- a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml
@@ -11,7 +11,7 @@ description: |-
 
 rationale: |-
     The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
-    Unrestricted access to these files might disclosure information useful to attackers and
+    Unrestricted access to these files might disclose information useful to attackers and
     malicious software leading to more sophisticated exploitation.
 
 severity: low
diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
index 456f07d19c2..2c6b0ab7525 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml
@@ -11,7 +11,7 @@ description: |-
 
 rationale: |-
     The purpose of <tt>System.map</tt> files is primarily for debugging and profiling the kernel.
-    Unrestricted access to these files might disclosure information useful to attackers and
+    Unrestricted access to these files might disclose information useful to attackers and
     malicious software leading to more sophisticated exploitation.
 
 severity: low