From 00408e85a3b6141174ed824175f8b5c03de2ff31 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 26 Mar 2020 15:13:01 +0100
Subject: [PATCH 01/13] Select rhel8 FIPS rules in RHV4 profiles

Changes selection of FIPS related rules in RHV4 product to the
appropriate RHEL8 equivalent.
Also migrates rule prodtypes and platforms to rhel8.
---
 .../integrity/fips/enable_dracut_fips_module/rule.yml         | 2 +-
 .../software/integrity/fips/enable_fips_mode/bash/shared.sh   | 2 +-
 .../system/software/integrity/fips/enable_fips_mode/rule.yml  | 2 +-
 .../software/integrity/fips/etc_system_fips_exists/rule.yml   | 2 +-
 .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml  | 2 +-
 .../integrity/fips/grub2_enable_fips_mode/bash/shared.sh      | 2 +-
 .../software/integrity/fips/grub2_enable_fips_mode/rule.yml   | 2 +-
 .../fips/package_dracut-fips_installed/ansible/shared.yml     | 2 +-
 .../fips/package_dracut-fips_installed/bash/shared.sh         | 2 +-
 .../integrity/fips/package_dracut-fips_installed/rule.yml     | 2 +-
 .../integrity/fips/sysctl_crypto_fips_enabled/rule.yml        | 2 +-
 rhv4/profiles/rhvh-stig.profile                               | 4 ++--
 rhv4/profiles/rhvh-vpp.profile                                | 2 +-
 13 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index ac4560e10632..7e04bd27f918 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: "Enable Dracut FIPS Module"
 
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index e5990c5128de..87476a7b3150 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,Red Hat Virtualization 4
 
 fips-mode-setup --enable
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index 4a0128d7f20b..bd956ed71084 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: Enable FIPS Mode
 
diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
index 29755ec0b128..a2d73bcf4f41 100644
--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: Ensure '/etc/system-fips' exists
 
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
index 5a8115ca6437..59078674e673 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_rhv
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7
 # reboot = true
 # strategy = restrict
 # complexity = high
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
index 19fc3cae5475..463abd4434c4 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_rhv,multi_platform_wrlinux
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_wrlinux
 
 # include remediation functions library
 . /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index d65031b86f2f..335810bd2e1b 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,ol7,rhel7,rhv4,wrlinux1019
+prodtype: ocp4,ol7,rhel7,wrlinux1019
 
 title: 'Enable FIPS Mode in GRUB2'
 
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml
index a7c2d30f571f..aed9d35dd760 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,Red Hat OpenShift Container Platform 4
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat OpenShift Container Platform 4
 # reboot = false
 # strategy = enable
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh
index a97827c1160d..ceddefc0d8ee 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7
 
 {{{ bash_package_install("dracut-fips") }}}
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
index 546cfc70b4a1..89754734e3db 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,ol7,rhel6,rhel7,rhv4
+prodtype: ocp4,ol7,rhel6,rhel7
 
 title: 'Install the dracut-fips Package'
 
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index 50079bf27040..8bf8b8549a28 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: "Set kernel parameter 'crypto.fips_enabled' to 1"
 
diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile
index 49fb81520f45..9c99fe63ac1b 100644
--- a/rhv4/profiles/rhvh-stig.profile
+++ b/rhv4/profiles/rhvh-stig.profile
@@ -311,12 +311,12 @@ selections:
     - aide_verify_acls
     - aide_verify_ext_attributes
     - disable_prelink
-    - grub2_enable_fips_mode
+    - enable_fips_mode
     - install_antivirus
     - install_hids
     - ldap_client_start_tls
     - package_aide_installed
-    - package_dracut-fips_installed
+    - enable_dracut_fips_module
     - rpm_verify_hashes
     - install_PAE_kernel_on_x86-32
     - service_kdump_disabled
diff --git a/rhv4/profiles/rhvh-vpp.profile b/rhv4/profiles/rhvh-vpp.profile
index 7fc89adcf2d5..1d13c808b217 100644
--- a/rhv4/profiles/rhvh-vpp.profile
+++ b/rhv4/profiles/rhvh-vpp.profile
@@ -198,7 +198,7 @@ selections:
 
     # IA-7
     - installed_OS_is_FIPS_certified
-    - grub2_enable_fips_mode
+    - enable_fips_mode
 
     # MP-7
     - kernel_module_usb-storage_disabled

From 1f49459d0b61718b544937f1bad189897f47f1b5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 26 Mar 2020 15:28:58 +0100
Subject: [PATCH 02/13] Select crypto-policy rules in RHV4 Profiles

And unselect rules made obsolete by them
Also migrates rule prodtypes and platforms to rhel8.
---
 .../package_bind_removed/rule.yml                   |  2 +-
 .../sshd_use_approved_ciphers/ansible/shared.yml    |  2 +-
 .../sshd_use_approved_ciphers/bash/shared.sh        |  2 +-
 .../sshd_use_approved_ciphers/oval/shared.xml       |  1 -
 .../ssh_server/sshd_use_approved_ciphers/rule.yml   |  2 +-
 .../sshd_use_approved_macs/ansible/shared.yml       |  2 +-
 .../sshd_use_approved_macs/bash/shared.sh           |  2 +-
 .../sshd_use_approved_macs/oval/shared.xml          |  1 -
 .../ssh/ssh_server/sshd_use_approved_macs/rule.yml  |  2 +-
 .../package_libreswan_installed/rule.yml            |  2 +-
 .../configure_bind_crypto_policy/bash/shared.sh     |  2 +-
 .../crypto/configure_bind_crypto_policy/rule.yml    |  2 +-
 .../configure_crypto_policy/ansible/shared.yml      |  2 +-
 .../crypto/configure_crypto_policy/bash/shared.sh   |  2 +-
 .../crypto/configure_crypto_policy/rule.yml         |  2 +-
 .../ansible/shared.yml                              |  2 +-
 .../configure_kerberos_crypto_policy/bash/shared.sh |  2 +-
 .../configure_kerberos_crypto_policy/rule.yml       |  2 +-
 .../ansible/shared.yml                              |  2 +-
 .../bash/shared.sh                                  |  2 +-
 .../configure_libreswan_crypto_policy/rule.yml      |  2 +-
 .../ansible/shared.yml                              |  2 +-
 .../configure_openssl_crypto_policy/bash/shared.sh  |  2 +-
 .../crypto/configure_openssl_crypto_policy/rule.yml |  2 +-
 .../configure_ssh_crypto_policy/ansible/shared.yml  |  2 +-
 .../configure_ssh_crypto_policy/bash/shared.sh      |  2 +-
 .../configure_ssh_crypto_policy/oval/shared.xml     |  6 +-----
 .../crypto/configure_ssh_crypto_policy/rule.yml     |  2 +-
 rhv4/profiles/rhvh-stig.profile                     | 11 +++++++----
 rhv4/profiles/rhvh-vpp.profile                      | 13 +++++++++----
 30 files changed, 42 insertions(+), 40 deletions(-)

diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
index 3cf3ccacc1cb..88d46a5d5cc2 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8
+prodtype: ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
 
 title: 'Uninstall bind Package'
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
index ef331a843ea0..1ec8f045e891 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_rhv
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
index a29413827237..6d3bb060476b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_rhv
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
 
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
index 19b63d404f3f..c3a6c7d1aafb 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
@@ -6,7 +6,6 @@
         <platform>multi_platform_wrlinux</platform>
         <platform>Red Hat Enterprise Linux 6</platform>
         <platform>Red Hat Enterprise Linux 7</platform>
-        <platform>multi_platform_rhv</platform>
         <platform>Oracle Linux 7</platform>
       </affected>
       <description>Limit the ciphers to those which are FIPS-approved.</description>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index e043b12c93a1..09cfc3b5fed2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,rhel6,rhel7,rhel8,rhv4,wrlinux1019,wrlinux8
+prodtype: ol7,rhel6,rhel7,rhel8,wrlinux1019,wrlinux8
 
 title: 'Use Only FIPS 140-2 Validated Ciphers'
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
index 07f59720037f..1a09a3197c41 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_rhv
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
index 2c4f217b3378..2972022b5248 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle
 
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
index 52ac0eb5ad56..c2470f510244 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
@@ -6,7 +6,6 @@
         <platform>multi_platform_wrlinux</platform>
         <platform>Red Hat Enterprise Linux 6</platform>
         <platform>Red Hat Enterprise Linux 7</platform>
-        <platform>multi_platform_rhv</platform>
         <platform>multi_platform_sle12</platform>
         <platform>Oracle Linux 7</platform>
       </affected>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index 6a582c957740..7e478bb87979 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,rhel6,rhel7,rhel8,rhv4,sle12,wrlinux1019
+prodtype: ol7,rhel6,rhel7,rhel8,sle12,wrlinux1019
 
 title: 'Use Only FIPS 140-2 Validated MACs'
 
diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
index 669eef29a159..5351fdb0250b 100644
--- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4
 
 title: 'Install libreswan Package'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/bash/shared.sh
index 794451cf6a47..bbe14199d5a7 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform =  multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform =  multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 
 function remediate_bind_crypto_policy() {
 	CONFIG_FILE="/etc/named.conf"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
index aadab6a7c834..8a07e4b78daa 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: 'Configure BIND to use System Crypto Policy'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
index 01cd7f673a28..9d3f9c0c65c6 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
index c8a6f2eee32a..2cdba7d2b779 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 
 # include remediation functions library
 . /usr/share/scap-security-guide/remediation_functions
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index ad054096ee5c..ba235a2009af 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: 'Configure System Cryptography Policy'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/ansible/shared.yml
index e3de38109a62..0e0bb79ab248 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 # reboot = true
 # strategy = configure
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/bash/shared.sh
index 3c127ae07360..be869edf9aab 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 # reboot = true
 # strategy = configure
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
index 1fd1be2160c1..dac4c354837b 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: 'Configure Kerberos to use System Crypto Policy'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/ansible/shared.yml
index 8a56ddb1ac5f..c529966c0a48 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/bash/shared.sh
index 166d9f62d012..ade7563b6999 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform =  multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform =  multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 
 function remediate_libreswan_crypto_policy() {
     CONFIG_FILE="/etc/ipsec.conf"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
index 84a4f5c15554..cf961196652d 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: 'Configure Libreswan to use System Crypto Policy'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index 959426abfff5..e6318f221c5c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 # reboot = false
 # strategy = unknown
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index b7f36fc00208..0b3cbf3b46f6 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform =  multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform =  multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 
 OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
 OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
index 2bdca08c651b..276a8ed41c19 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ocp4,ol8,rhel8
+prodtype: fedora,ocp4,ol8,rhel8,rhv4
 
 title: 'Configure OpenSSL library to use System Crypto Policy'
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml
index e06e745abeed..f92a496e6f5a 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 # reboot = true
 # strategy = disable
 # complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh
index 6093b0a3e4ab..7f288499dca1 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8,Red Hat Virtualization 4
 
 SSH_CONF="/etc/sysconfig/sshd"
 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
index 637b76d22746..0597123d6f3f 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
@@ -2,11 +2,7 @@
   <definition class="compliance" id="configure_ssh_crypto_policy" version="1">
     <metadata>
       <title>Configure SSH to use System Crypto Policy.</title>
-      <affected family="unix">
-        <platform>multi_platform_fedora</platform>
-        <platform>Red Hat Enterprise Linux 8</platform>
-        <platform>Oracle Linux 8</platform>
-      </affected>
+      {{{- oval_affected(products) }}}
       <description>SSH should be configured to use the system-wide crypto policy setting.</description>
     </metadata>
     <criteria>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index db5ce07f0ecd..65f4342da607 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhv4
 
 title: 'Configure SSH to use System Crypto Policy'
 
diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile
index 9c99fe63ac1b..4215c1620b53 100644
--- a/rhv4/profiles/rhvh-stig.profile
+++ b/rhv4/profiles/rhvh-stig.profile
@@ -202,19 +202,22 @@ selections:
     - service_zebra_disabled
     - use_kerberos_security_all_exports
     - disable_host_auth
-    - sshd_allow_only_protocol2
     - sshd_disable_compression
     - sshd_disable_gssapi_auth
     - sshd_disable_kerb_auth
-    - sshd_disable_rhosts_rsa
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
     - sshd_enable_warning_banner
     - var_sshd_set_keepalive=3
     - sshd_set_keepalive
-    - sshd_use_approved_ciphers
-    - sshd_use_approved_macs
     - sshd_use_priv_separation
+    - var_system_crypto_policy=fips_ospp
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_openssl_crypto_policy
+    - configure_bind_crypto_policy
+    - configure_kerberos_crypto_policy
+    - configure_libreswan_crypto_policy
     - var_accounts_user_umask=077
     - var_selinux_policy_name=targeted
     - var_selinux_state=enforcing
diff --git a/rhv4/profiles/rhvh-vpp.profile b/rhv4/profiles/rhvh-vpp.profile
index 1d13c808b217..ace88005389a 100644
--- a/rhv4/profiles/rhvh-vpp.profile
+++ b/rhv4/profiles/rhvh-vpp.profile
@@ -62,11 +62,9 @@ selections:
     - file_permissions_sshd_private_key
     - file_permissions_sshd_pub_key
     - disable_host_auth
-    - sshd_allow_only_protocol2
     - sshd_disable_compression
     - sshd_disable_gssapi_auth
     - sshd_disable_kerb_auth
-    - sshd_disable_rhosts_rsa
     - sshd_disable_root_login
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
@@ -75,10 +73,12 @@ selections:
     - sshd_set_idle_timeout
     - sshd_set_keepalive
     - sshd_set_loglevel_info
-    - sshd_use_approved_ciphers
-    - sshd_use_approved_macs
     - sshd_use_priv_separation
     - sshd_disable_empty_passwords
+    - var_system_crypto_policy=fips_ospp
+    - configure_crypto_policy
+    - configure_ssh_crypto_policy
+    - configure_openssl_crypto_policy
 
     # AU -5(b)
     - audit_rules_system_shutdown
@@ -205,6 +205,11 @@ selections:
     - kernel_module_bluetooth_disabled
     - service_bluetooth_disabled
 
+    # SC-13
+    - configure_bind_crypto_policy
+    - configure_kerberos_crypto_policy
+    - configure_libreswan_crypto_policy
+
     # SC-39
     - sysctl_kernel_exec_shield
     - sysctl_kernel_kptr_restrict

From d3bb0853090b89a1e05c2c0e679f4e69787597be Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 18:17:12 +0100
Subject: [PATCH 03/13] Install audisp plugin to be able to configure it

Rules that configure audispd plugin are failing due to missing config
files.
---
 rhv4/profiles/rhvh-stig.profile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile
index 4215c1620b53..aa56f6e50501 100644
--- a/rhv4/profiles/rhvh-stig.profile
+++ b/rhv4/profiles/rhvh-stig.profile
@@ -416,6 +416,7 @@ selections:
     - partition_for_var_log_audit
     - partition_for_tmp
     - grub2_no_removeable_media
+    - package_audispd-plugins_installed
     - auditd_audispd_configure_remote_server
     - auditd_audispd_encrypt_sent_records
     - auditd_audispd_disk_full_action

From 1541043a8ff151cbd75a5233ba233c77f9b886f9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Apr 2020 18:51:12 +0200
Subject: [PATCH 04/13] Update applicability of audispd rules for RHV4

---
 .../auditd_audispd_configure_remote_server/bash/shared.sh   | 2 +-
 .../auditd_audispd_configure_remote_server/oval/shared.xml  | 4 ++--
 .../auditd_audispd_configure_remote_server/rule.yml         | 4 ++--
 .../auditd_audispd_encrypt_sent_records/bash/shared.sh      | 2 +-
 .../auditd_audispd_encrypt_sent_records/oval/shared.xml     | 6 +++---
 .../auditd_audispd_encrypt_sent_records/rule.yml            | 4 ++--
 .../ansible/shared.yml                                      | 2 +-
 .../auditd_audispd_syslog_plugin_activated/bash/shared.sh   | 2 +-
 .../auditd_audispd_syslog_plugin_activated/oval/shared.xml  | 4 ++--
 .../auditd_audispd_syslog_plugin_activated/rule.yml         | 4 ++--
 10 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
index c31dc5297a9d..517f384f22d5 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
@@ -2,7 +2,7 @@
 . /usr/share/scap-security-guide/remediation_functions
 populate var_audispd_remote_server
 
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
 AUDITCONFIG=/etc/audit/audisp-remote.conf
 {{% else %}}
 AUDITCONFIG=/etc/audisp/audisp-remote.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml
index 7ee22c97d62d..cf74b1129d32 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml
@@ -5,7 +5,7 @@
       <affected family="unix">
         <platform>multi_platform_all</platform>
       </affected>
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
       <description>remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname</description>
 {{% else %}}
       <description>remote_server setting in /etc/audisp/audisp-remote.conf is set to a certain IP address or hostname</description>
@@ -22,7 +22,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_auditd_audispd_configure_remote_server" version="1">
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     <ind:filepath>/etc/audit/audisp-remote.conf</ind:filepath>
 {{% else %}}
     <ind:filepath>/etc/audisp/audisp-remote.conf</ind:filepath>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
index 866b268e026f..e27b4d5fe810 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
@@ -8,7 +8,7 @@ description: |-
     Configure the audispd plugin to off-load audit records onto a different
     system or media from the system being audited.
     Set the <tt>remote_server</tt> option in <pre>
-{{%- if product in ["rhel8", "fedora", "ol8"] -%}}
+{{%- if product in ["rhel8", "fedora", "ol8", "rhv4"] -%}}
     /etc/audit/audisp-remote.conf
 {{%- else -%}}
     /etc/audisp/audisp-remote.conf
@@ -41,7 +41,7 @@ ocil_clause: 'audispd is not sending logs to a remote system'
 ocil: |-
     To verify the audispd plugin off-loads audit records onto a different system or
     media from the system being audited, run the following command:
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     <pre>$ sudo grep -i remote_server /etc/audit/audisp-remote.conf</pre>
 {{% else %}}
     <pre>$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf</pre>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh
index a196e155d05f..344ff38442e4 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/bash/shared.sh
@@ -1,7 +1,7 @@
 # platform = multi_platform_wrlinux,multi_platform_all
 . /usr/share/scap-security-guide/remediation_functions
 
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
 AUDISP_REMOTE_CONFIG="/etc/audit/audisp-remote.conf"
 option="^transport"
 value="KRB5"
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
index 648aa5f5a9f7..6d82377bd567 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
@@ -5,7 +5,7 @@
       <affected family="unix">
         <platform>multi_platform_all</platform>
       </affected>
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
       <description>transport setting in /etc/audit/audisp-remote.conf is set to 'KRB5'</description>
 {{% else %}}
       <description>enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes'</description>
@@ -23,14 +23,14 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_auditd_audispd_encrypt_sent_records" version="1">
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     <ind:filepath>/etc/audit/audisp-remote.conf</ind:filepath>
 {{% else %}}
     <ind:filepath>/etc/audisp/audisp-remote.conf</ind:filepath>
 {{% endif %}}
     <!-- Allow only space (exactly) as delimiter -->
     <!-- Require at least one space before and after the equal sign -->
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     <ind:pattern operation="pattern match">^[ ]*transport[ ]+=[ ]+KRB5[ ]*$</ind:pattern>
 {{% else %}}
     <ind:pattern operation="pattern match">^[ ]*enable_krb5[ ]+=[ ]+yes[ ]*$</ind:pattern>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
index c0160e20fa05..1844db5dc281 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
@@ -7,7 +7,7 @@ title: 'Encrypt Audit Records Sent With audispd Plugin'
 description: |-
     Configure the operating system to encrypt the transfer of off-loaded audit
     records onto a different system or media from the system being audited.
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     Set the <tt>transport</tt> option in <pre>/etc/audit/audisp-remote.conf</pre>
     to <tt>KRB5</tt>.
 {{% else %}}
@@ -39,7 +39,7 @@ ocil_clause: 'audispd is not encrypting audit records when sent over the network
 ocil: |-
     To verify the audispd plugin encrypts audit records off-loaded onto a different
     system or media from the system being audited, run the following command:
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     <pre>$ sudo grep -i transport /etc/audit/audisp-remote.conf</pre>
     The output should return the following:
     <pre>transport = KRB5</pre>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/ansible/shared.yml
index 53848de2ac14..56611725138f 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/ansible/shared.yml
@@ -6,7 +6,7 @@
 
 - name: enable syslog plugin
   lineinfile:
-    {{% if product in ["rhel8", "fedora", "ol8"] -%}}
+    {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] -%}}
     dest: /etc/audit/plugins.d/syslog.conf
     {{%- else -%}}
     dest: /etc/audisp/plugins.d/syslog.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/bash/shared.sh
index 5b1b60b5e5b6..6f2b49d440c6 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/bash/shared.sh
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/bash/shared.sh
@@ -2,7 +2,7 @@
 . /usr/share/scap-security-guide/remediation_functions
 var_syslog_active="yes"
 
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
 AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf
 {{% else %}}
 AUDISP_SYSLOGCONFIG=/etc/audisp/plugins.d/syslog.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
index 32033337391c..5f1c548b745d 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
@@ -5,7 +5,7 @@
       <affected family="unix">
         <platform>multi_platform_all</platform>
       </affected>
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
       <description>active setting in /etc/audit/plugins.d/syslog.conf is set to 'yes'</description>
 {{% else %}}
       <description>active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes'</description>
@@ -23,7 +23,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_auditd_audispd_syslog_plugin_activated" version="1">
-{{% if product in ["rhel8", "fedora", "ol8"] %}}
+{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
     <ind:filepath>/etc/audit/plugins.d/syslog.conf</ind:filepath>
 {{% else %}}
     <ind:filepath>/etc/audisp/plugins.d/syslog.conf</ind:filepath>
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
index 96f5da926b0b..8c21beeb7c1c 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml
@@ -6,7 +6,7 @@ description: |-
     To configure the <tt>auditd</tt> service to use the
     <tt>syslog</tt> plug-in of the <tt>audispd</tt> audit event multiplexor, set
     the <tt>active</tt> line in <tt>
-{{%- if product in ["rhel8", "fedora", "ol8"] -%}}
+{{%- if product in ["rhel8", "fedora", "ol8", "rhv4"] -%}}
     /etc/audit/plugins.d/syslog.conf
 {{%- else -%}}
     /etc/audisp/plugins.d/syslog.conf
@@ -51,7 +51,7 @@ ocil_clause: 'it is not activated'
 
 ocil: |-
     To verify the audispd's syslog plugin is active, run the following command:
-{{% if product in ["rhel8", "fedora"] %}}
+{{% if product in ["rhel8", "fedora", "rhv4"] %}}
     <pre>$ sudo grep active /etc/audit/plugins.d/syslog.conf</pre>
 {{% else %}}
     <pre>$ sudo grep active /etc/audisp/plugins.d/syslog.conf</pre>

From ec1d8b2b765026a867644f9354b5009cca5e7c55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 26 Mar 2020 16:08:47 +0100
Subject: [PATCH 05/13] Remove rules for packages deprecated in RHEL8

And migrate their prodtypes and platforms to rhel8.
---
 .../package_screen_installed/rule.yml                      | 2 +-
 .../console_screen_locking/package_tmux_installed/rule.yml | 2 +-
 rhv4/profiles/rhvh-stig.profile                            | 7 +------
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
index 97023444c00a..a2348956d65f 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel6,rhel7,rhv4,wrlinux1019
+prodtype: fedora,rhel6,rhel7,wrlinux1019
 
 title: 'Install the screen Package'
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
index 321a70013879..cafb0d5b3893 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol8,rhel8
+prodtype: fedora,ol8,rhel8,rhv4
 
 title: 'Install the tmux Package'
 
diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile
index aa56f6e50501..9cabc0c3c4cf 100644
--- a/rhv4/profiles/rhvh-stig.profile
+++ b/rhv4/profiles/rhvh-stig.profile
@@ -21,7 +21,7 @@ selections:
     - accounts_password_pam_ucredit
     - var_password_pam_lcredit=1
     - accounts_password_pam_lcredit
-    - package_screen_installed
+    - package_tmux_installed
     - sshd_idle_timeout_value=10_minutes
     - sshd_set_idle_timeout
     - accounts_password_all_shadowed
@@ -180,25 +180,20 @@ selections:
     - disable_ctrlaltdel_reboot
     - disable_ctrlaltdel_burstaction
     - libreswan_approved_tunnels
-    - no_rsh_trust_files
-    - package_rsh_removed
     - package_rsh-server_removed
     - package_talk_removed
     - package_talk-server_removed
     - package_telnet_removed
     - package_telnet-server_removed
     - package_xinetd_removed
-    - package_ypbind_removed
     - package_ypserv_removed
     - service_crond_enabled
     - service_rexec_disabled
     - service_rlogin_disabled
-    - service_rsh_disabled
     - sshd_required=yes
     - service_sshd_enabled
     - service_telnet_disabled
     - service_xinetd_disabled
-    - service_ypbind_disabled
     - service_zebra_disabled
     - use_kerberos_security_all_exports
     - disable_host_auth

From c5cc54c749ad65d1beb235308028d4b483a7b493 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 10:58:54 +0100
Subject: [PATCH 06/13] Move rhv4 grub2_bootloader_argument rules to rhel8

---
 linux_os/guide/system/auditing/grub2_audit_argument/rule.yml  | 4 ++--
 .../disabling_ipv6/grub2_ipv6_disable_argument/rule.yml       | 4 ++--
 shared/templates/template_ANSIBLE_grub2_bootloader_argument   | 2 +-
 shared/templates/template_BASH_grub2_bootloader_argument      | 2 +-
 shared/templates/template_OVAL_grub2_bootloader_argument      | 4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index c0d39f1e8cbc..eb21e5cf3bcc 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -8,7 +8,7 @@ description: |-
     To ensure all processes can be audited, even those which start
     prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
     GRUB 2 command line for the Linux operating system in
-{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
     <tt>/etc/default/grub</tt>, so that the line looks similar to
     <pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
     In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
@@ -50,7 +50,7 @@ references:
 ocil_clause: 'auditing is not enabled at boot time'
 
 ocil: |-
-{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
     Inspect the form of default GRUB 2 command line for the Linux operating system
     in <tt>/etc/default/grub</tt>. If it includes <tt>audit=1</tt>, then auditing
     is enabled at boot time.
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
index e128654204d2..1876dae0a115 100644
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
@@ -8,7 +8,7 @@ description: |-
     To disable IPv6 protocol support in the Linux kernel,
     add the argument <tt>ipv6.disable=1</tt> to the default
     GRUB2 command line for the Linux operating system in
-{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
     <tt>/etc/default/grub</tt>, so that the line looks similar to
     <pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
     In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
@@ -39,7 +39,7 @@ references:
 ocil_clause: 'IPv6 is not disabled'
 
 ocil: |-
-    {{% if product in ["rhel7", "ol7", "rhv4"] %}}
+    {{% if product in ["rhel7", "ol7"] %}}
     Inspect the form of default GRUB2 command line for the Linux operating system
     in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
     First check if the GRUB recovery is enabled:
diff --git a/shared/templates/template_ANSIBLE_grub2_bootloader_argument b/shared/templates/template_ANSIBLE_grub2_bootloader_argument
index 13749232336c..e3549dcc3e86 100644
--- a/shared/templates/template_ANSIBLE_grub2_bootloader_argument
+++ b/shared/templates/template_ANSIBLE_grub2_bootloader_argument
@@ -4,7 +4,7 @@
 # complexity = medium
 # disruption = low
 
-{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
 - name: check {{{ ARG_NAME }}} argument exists
   command: grep 'GRUB_CMDLINE_LINUX.*{{{ ARG_NAME }}}=' /etc/default/grub
   failed_when: False
diff --git a/shared/templates/template_BASH_grub2_bootloader_argument b/shared/templates/template_BASH_grub2_bootloader_argument
index 20faf05f32c7..65d851f6448b 100644
--- a/shared/templates/template_BASH_grub2_bootloader_argument
+++ b/shared/templates/template_BASH_grub2_bootloader_argument
@@ -1,6 +1,6 @@
 # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
 
-{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
 # Correct the form of default kernel command line in GRUB
 if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"'  '/etc/default/grub' ; then
 	# modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
index a18f85f5e821..aaaa0393b0e0 100644
--- a/shared/templates/template_OVAL_grub2_bootloader_argument
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
@@ -6,7 +6,7 @@
       <description>Ensure {{{ ARG_NAME_VALUE }}} is configured in the kernel line in /etc/default/grub.</description>
     </metadata>
     <criteria operator="AND">
-      {{% if product in ["rhel7", "ol7", "rhv4"] %}}
+      {{% if product in ["rhel7", "ol7"] %}}
         <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
         comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/grub2/grub.cfg for all kernels" />
         <criteria operator="OR">
@@ -26,7 +26,7 @@
     </criteria>
   </definition>
 
-{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
   comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
   check="all" check_existence="all_exist" version="1">

From 66a286b3289bd45b37ee3258271809dcdbcc359b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 11:00:21 +0100
Subject: [PATCH 07/13] Move rhv4 ensure_redhat_gpgkey_installed to rhel8

As the node becomes rhel8 based, the gpg keys become the same as rhel8
keys.
---
 .../updating/ensure_redhat_gpgkey_installed/bash/shared.sh  | 2 +-
 .../updating/ensure_redhat_gpgkey_installed/oval/shared.xml | 6 +++---
 rhv4/product.yml                                            | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
index 13e9f6fa78ce..509543281ef9 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
@@ -13,7 +13,7 @@ if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
 then
   # If they are safe, try to obtain fingerprints from the key file
   # (to ensure there won't be e.g. CRC error).
-{{% if product == "rhel8" %}}
+{{% if product in ["rhel8", "rhv4"] %}}
   readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10)
 {{% else %}}
   readarray -t GPG_OUT < <(gpg --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep "^fpr" | cut -d ":" -f 10)
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
index abb1bfcef854..748f30a29347 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
@@ -14,7 +14,7 @@
         {{%- if product == "rhel6" %}}
           <extend_definition comment="SL6 installed" definition_ref="installed_OS_is_sl6" />
         {{%- endif %}}
-        {{%- if product == "rhel7" or product == "rhv4" %}}
+        {{%- if product == "rhel7" %}}
           <extend_definition comment="SL7 installed" definition_ref="installed_OS_is_sl7" />
         {{%- endif %}}
           <extend_definition comment="{{{ product }}} installed" definition_ref="installed_OS_is_{{{ product }}}" />
@@ -33,7 +33,7 @@
         test_ref="test_package_gpgkey-c105b9de-4e0fd3a3_installed" />
       </criteria>
       {{%- endif %}}
-      {{%- if product == "rhel7" or product == "rhv4" %}}
+      {{%- if product == "rhel7" %}}
       <criteria comment="CentOS Vendor Keys" operator="AND">
         <extend_definition comment="CentOS7 installed" definition_ref="installed_OS_is_centos7" />
         <criterion comment="package gpg-pubkey-f4a80eb5-53a7ff4b is installed"
@@ -75,7 +75,7 @@
     <linux:version>{{{ aux_pkg_version }}}</linux:version>
   </linux:rpminfo_state>
 
-  {{%- if product == "rhel7" or product == "rhv4" %}}
+  {{%- if product == "rhel7" %}}
   <!-- Test for CentOS7 key -->
   <linux:rpminfo_test check="only one" check_existence="at_least_one_exists"
   id="test_package_gpgkey-f4a80eb5-53a7ff4b_installed" version="1"
diff --git a/rhv4/product.yml b/rhv4/product.yml
index 7d2420931cde..10a2eda079af 100644
--- a/rhv4/product.yml
+++ b/rhv4/product.yml
@@ -13,8 +13,8 @@ init_system: "systemd"
 # The fingerprints below are retrieved from https://access.redhat.com/security/team/key
 pkg_release: "4ae0493b"
 pkg_version: "fd431d51"
-aux_pkg_release: "45700c69"
-aux_pkg_version: "2fa658e0"
+aux_pkg_release: "5b32db75"
+aux_pkg_version: "d4082792"
 
 release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
-auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"

From 324fd16d55cc166661d4ae92fb2fbb1e1c29954e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 14:08:49 +0100
Subject: [PATCH 08/13] Remove configure_opensc_nss_db from rhv4

As RHV4 moves to be rhel8 based, this doesn't apply anymore to rhv4.
---
 .../smart_card_login/configure_opensc_nss_db/ansible/shared.yml | 2 +-
 .../smart_card_login/configure_opensc_nss_db/bash/shared.sh     | 2 +-
 .../smart_card_login/configure_opensc_nss_db/oval/shared.xml    | 1 -
 .../smart_card_login/configure_opensc_nss_db/rule.yml           | 2 +-
 rhv4/profiles/rhvh-stig.profile                                 | 1 -
 rhv4/profiles/rhvh-vpp.profile                                  | 1 -
 6 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml
index 5a29c7e3e33e..ca3fd9a8d840 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,multi_platform_rhv,Oracle Linux 7
+# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Oracle Linux 7
 # reboot = false
 # strategy = configure
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh
index 3bdce15528bd..ff943d7de9a9 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,multi_platform_rhv,Oracle Linux 7
+# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Oracle Linux 7
 # reboot = false
 # strategy = configure
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml
index 21b43f486a1f..da61320316ff 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml
@@ -5,7 +5,6 @@
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 7</platform>
         <platform>multi_platform_fedora</platform>
-        <platform>multi_platform_rhv</platform>
         <platform>Oracle Linux 7</platform>
       </affected>
       <description>The NSS DB should be set to use opensc library.</description>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml
index 96ebd3cd76fe..78a04d77b099 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,rhel7,rhv4
+prodtype: fedora,ol7,rhel7
 
 title: 'Configure NSS DB To Use opensc'
 
diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile
index 9cabc0c3c4cf..187de1511c2f 100644
--- a/rhv4/profiles/rhvh-stig.profile
+++ b/rhv4/profiles/rhvh-stig.profile
@@ -351,7 +351,6 @@ selections:
     - set_password_hashing_algorithm_systemauth
     - package_opensc_installed
     - var_smartcard_drivers=cac
-    - configure_opensc_nss_db
     - configure_opensc_card_drivers
     - force_opensc_card_drivers
     - package_pcsc-lite_installed
diff --git a/rhv4/profiles/rhvh-vpp.profile b/rhv4/profiles/rhvh-vpp.profile
index ace88005389a..ecd545237ffd 100644
--- a/rhv4/profiles/rhvh-vpp.profile
+++ b/rhv4/profiles/rhvh-vpp.profile
@@ -169,7 +169,6 @@ selections:
     # IA-2 (1)
     - package_opensc_installed
     - var_smartcard_drivers=cac
-    - configure_opensc_nss_db
     - configure_opensc_card_drivers
     - force_opensc_card_drivers
     - package_pcsc-lite_installed

From c0b759426bdbf75b822f1f63f6876b8f7855641e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 14:55:28 +0100
Subject: [PATCH 09/13] Remove not applicable rules from rhv4

These packages are not present in rhel8.
---
 .../integrity/fips/package_dracut-fips-aesni_installed/rule.yml | 2 +-
 .../system-tools/package_cryptsetup-luks_installed/rule.yml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
index 724970be083a..f9ca356aee38 100644
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ocp4,ol7,rhel6,rhel7,rhv4
+prodtype: ocp4,ol7,rhel6,rhel7
 
 title: 'Install the dracut-fips-aesni Package'
 
diff --git a/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml
index 93771575571c..2021dc7763d7 100644
--- a/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_cryptsetup-luks_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,rhel6,rhel7,rhv4
+prodtype: fedora,ol7,rhel6,rhel7
 
 title: 'Install cryptsetup-luks Package'
 

From 0ef07933243c9ed2a2b23e13e4e44fb0f6a83a09 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 26 Mar 2020 18:04:41 +0100
Subject: [PATCH 10/13] Update CPE hypervisor version

---
 rhv4/cpe/rhv4-cpe-dictionary.xml | 2 +-
 ssg/constants.py                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
index 56ea1abf8c79..ce9b06dcae50 100644
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
@@ -2,7 +2,7 @@
 <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
-      <cpe-item name="cpe:/o:redhat:enterprise_linux:7::hypervisor">
+      <cpe-item name="cpe:/o:redhat:enterprise_linux:8::hypervisor">
             <title xml:lang="en-us">Red Hat Virtualization 4 Host</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_OS_is_rhv4</check>
diff --git a/ssg/constants.py b/ssg/constants.py
index 46bb701ddf40..a3741f6d0049 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -254,7 +254,7 @@
     ],
     "rhv4": [
         "cpe:/a:redhat:enterprise_virtualization_manager:4",
-        "cpe:/o:redhat:enterprise_linux:7::hypervisor",
+        "cpe:/o:redhat:enterprise_linux:8::hypervisor",
     ],
     "sle11": [
         "cpe:/o:suse:linux_enterprise_server:11",

From 34a4c175898ed69a11f87f49dc7a92da9a095b51 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 15:54:05 +0100
Subject: [PATCH 11/13] Make rhv4 product applicable to versions 4.4+

Make rhv4 product applicable to version 4.4 and newer.
---
 shared/checks/oval/installed_OS_is_rhv4.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/checks/oval/installed_OS_is_rhv4.xml b/shared/checks/oval/installed_OS_is_rhv4.xml
index 1935f3c2f3c6..ed9205af54c1 100644
--- a/shared/checks/oval/installed_OS_is_rhv4.xml
+++ b/shared/checks/oval/installed_OS_is_rhv4.xml
@@ -9,7 +9,7 @@
       <reference ref_id="cpe:/o:redhat:virtualization:4"
       source="CPE" />
       <description>The operating system installed on the system is
-      Red Hat Virtualization Host 4 or Red Hat Enterprise Host.</description>
+      Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host.</description>
     </metadata>
     <criteria>
       <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
@@ -24,7 +24,7 @@
     <linux:name>redhat-release-virtualization-host</linux:name>
   </linux:rpminfo_object>
     <linux:rpminfo_state id="state_rhvh4_version" version="1">
-    <linux:version operation="pattern match">^4.*$</linux:version>
+    <linux:evr datatype="evr_string" operation="greater than or equal">0:4.4</linux:evr>
   </linux:rpminfo_state>
 
 </def-group>

From 217639e9f5872d308ec089c43b1b0298aa21e2ca Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 27 Mar 2020 16:32:29 +0100
Subject: [PATCH 12/13] Allow RHEL8 as a Host

---
 shared/checks/oval/installed_OS_is_rhv4.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/shared/checks/oval/installed_OS_is_rhv4.xml b/shared/checks/oval/installed_OS_is_rhv4.xml
index ed9205af54c1..dd3152b6b7f5 100644
--- a/shared/checks/oval/installed_OS_is_rhv4.xml
+++ b/shared/checks/oval/installed_OS_is_rhv4.xml
@@ -11,7 +11,8 @@
       <description>The operating system installed on the system is
       Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host.</description>
     </metadata>
-    <criteria>
+    <criteria operator="OR">
+      <extend_definition comment="RHEL8 OS installed" definition_ref="installed_OS_is_rhel8" />
       <criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="test_rhvh4_version" />
     </criteria>
   </definition>

From 9f4652c18ade15edb2a943379cfd1c53e9ce94f2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Apr 2020 14:09:23 +0200
Subject: [PATCH 13/13] Document RHV el7 and el8 support

---
 docs/manual/user_guide.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/manual/user_guide.adoc b/docs/manual/user_guide.adoc
index f5e4aaa511a6..d2fc8dbba05b 100644
--- a/docs/manual/user_guide.adoc
+++ b/docs/manual/user_guide.adoc
@@ -274,6 +274,14 @@ Ansible, it is advisable to use the playbooks from https://github.com/RedHatOffi
 
 IMPORTANT: The minimum version of Ansible must be at the latest supported version. See https://access.redhat.com/support/policy/updates/ansible-engine for information on the supported Ansible versions.
 
+## Content Notes
+
+### Note on content for Red Hat Virtualization 4
+
+As RHV moves to be based on el8, the contents of `rhv4` will also move to be based on el8.
+
+If you need content for RHV based on el7, use the Red Hat Enterprise Linux 7 (`rhel7`) content.
+
 ## Deprecated Content
 
 .Deprecated or Removed Content