ComplianceAsCode · ggbecker · Apr 13, 2026 · Apr 9, 2026
@@ -369,9 +369,10 @@
       status: partial
       rules:
           - ensure_redhat_gpgkey_installed
+          - package_sequoia-sq_installed
       notes: >
         In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories.
         But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2
        adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat
        GPG key wouldn't be installed, people won't be able to install any RPM package using dnf.

@@ -974,10 +975,10 @@
      notes: |-
          The requirement recommends to remove the whole 'Server with GUI' dnf package group.
          Unfortunately, OVAL can't check for dnf package groups.
          Remediations that would remove and install large package groups are problematic and too destructive.
          We decided to not have a rule for the 'Server with GUI' removal and instead just cover the most singificant package - gdm.
          For more context, see https://github.com/ComplianceAsCode/content/pull/14204 where we failed to create a rule for the package group removal.
          We shall recomend users who want to use the GUI to use the CIS Workstation L2 profile instead.
      rules:
          - package_gdm_removed

@@ -1658,7 +1659,7 @@
          - l1_workstation
      status: automated
      notes: |-
          The requirement gives an example of 45 seconds, but is flexible about the values. It is only
          necessary to ensure there is a timeout configured in alignment to the site policy.
      rules:
          - sshd_set_idle_timeout
@@ -1734,7 +1735,7 @@
      status: automated
      notes: |-
          The CIS benchmark is not opinionated about which loglevel is selected here. Here, this
          profile uses VERBOSE by default, as it allows for the capture of login and logout activity
          as well as key fingerprints.
      rules:
          - sshd_set_loglevel_verbose
@@ -1878,9 +1879,9 @@
          - l1_workstation
      status: automated
      notes: |-
          Members of "wheel" or GID 0 groups are checked by default if the group option is not set for
          pam_wheel.so module. The recommendation states the group should be empty to reinforce the
          use of "sudo" for privileged access. Therefore, members of these groups should be manually
          checked or a different group should be informed.
      rules:
          - var_pam_wheel_group_for_su=cis

@@ -338,6 +338,7 @@ package_openldap-clients_removed
 package_pam_pwquality_installed
 package_rsync_removed
 package_samba_removed
+package_sequoia-sq_installed
 package_setroubleshoot_removed
 package_squid_removed
 package_sudo_installed

@@ -240,6 +240,7 @@ package_nginx_removed
 package_pam_pwquality_installed
 package_rsync_removed
 package_samba_removed
+package_sequoia-sq_installed
 package_setroubleshoot_removed
 package_squid_removed
 package_sudo_installed

@@ -236,6 +236,7 @@ package_nginx_removed
 package_pam_pwquality_installed
 package_rsync_removed
 package_samba_removed
+package_sequoia-sq_installed
 package_squid_removed
 package_sudo_installed
 package_systemd-journal-remote_installed

@@ -337,6 +337,7 @@ package_openldap-clients_removed
 package_pam_pwquality_installed
 package_rsync_removed
 package_samba_removed
+package_sequoia-sq_installed
 package_squid_removed
 package_sudo_installed
 package_systemd-journal-remote_installed