From 93e5bbe28830e4323ad7c61a180f4b39d99ed5b9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Apr 2024 16:43:01 +0200
Subject: [PATCH 1/2] add file_permission_user_init_files_root and associated
 variable to RHEL 8 STIG profile

---
 .../file_permission_user_init_files_root/rule.yml              | 2 ++
 products/rhel8/profiles/stig.profile                           | 3 ++-
 tests/data/profile_stability/rhel8/stig.profile                | 3 ++-
 tests/data/profile_stability/rhel8/stig_gui.profile            | 3 ++-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
index 40f98960494..0d46a366473 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
@@ -18,11 +18,13 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86101-3
     cce@rhel9: CCE-87087-3
 
 references:
     disa: CCI-000366
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel8: RHEL-08-010770
 
 ocil_clause: 'they are not 0740 or more permissive'
 
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 52592858770..db14e02b1e8 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -480,7 +480,8 @@ selections:
     - accounts_have_homedir_login_defs
 
     # RHEL-08-010770
-    - file_permission_user_init_files
+    - file_permission_user_init_files_root
+    - var_user_initialization_files_regex=all_dotfiles
 
     # RHEL-08-010780
     - no_files_unowned_by_user
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7316228481f..58feb7c2b4a 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -165,7 +165,7 @@ selections:
 - installed_OS_is_vendor_supported
 - package_postfix_installed
 - account_password_pam_faillock_system_auth
-- file_permission_user_init_files
+- file_permission_user_init_files_root
 - audit_rules_privileged_commands_ssh_keysign
 - sysctl_fs_protected_hardlinks
 - sshd_enable_strictmodes
@@ -492,6 +492,7 @@ selections:
 - var_screensaver_lock_delay=5_seconds
 - var_logind_session_timeout=15_minutes
 - var_auditd_name_format=stig
+- var_user_initialization_files_regex=all_dotfiles
 unselected_groups: []
 platforms: !!set {}
 cpe_names: !!set {}
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 4d2f67ee1cc..36575716f25 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -66,7 +66,7 @@ selections:
 - audit_rules_usergroup_modification_group
 - kernel_module_atm_disabled
 - audit_rules_unsuccessful_file_modification_open
-- file_permission_user_init_files
+- file_permission_user_init_files_root
 - configure_ssh_crypto_policy
 - dir_ownership_library_dirs
 - package_rsyslog_installed
@@ -499,6 +499,7 @@ selections:
 - var_screensaver_lock_delay=5_seconds
 - var_logind_session_timeout=15_minutes
 - var_auditd_name_format=stig
+- var_user_initialization_files_regex=all_dotfiles
 unselected_groups: []
 platforms: !!set {}
 cpe_names: !!set {}

From 5897559f627c50e14e489d964d4182b3bd72c4d3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 26 Apr 2024 15:01:44 +0200
Subject: [PATCH 2/2] fix cces

---
 .../file_permission_user_init_files_root/rule.yml              | 3 ++-
 shared/references/cce-redhat-avail.txt                         | 2 --
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
index 0d46a366473..c7bda5c9306 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
@@ -18,7 +18,8 @@ rationale: |-
 severity: medium
 
 identifiers:
-    cce@rhel8: CCE-86101-3
+    cce@rhel7: CCE-86105-4
+    cce@rhel8: CCE-86106-2
     cce@rhel9: CCE-87087-3
 
 references:
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 5d824cd05cb..ebdc3477c6d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,5 +1,3 @@
-CCE-86105-4
-CCE-86106-2
 CCE-86141-9
 CCE-86142-7
 CCE-86143-5