diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml index b030a645a893..51fe990a7a8f 100644 --- a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml +++ b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml @@ -13,6 +13,9 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-90720-4 + cce@rhel9: CCE-90721-2 + cce@rhel10: CCE-90722-0 cce@sle15: CCE-92602-2 platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml index 8d95be5ac6b1..174866b22b55 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml @@ -4,9 +4,16 @@ # complexity = low # disruption = medium +- name: "{{{ rule_title }}} - Set fact for sysctl paths" + ansible.builtin.set_fact: + sysctl_paths: + - "/etc/sysctl.d/" + - "/run/sysctl.d/" + - "/usr/local/lib/sysctl.d/" + - name: "{{{ rule_title }}} - Find all files that contain kernel.core_pattern" ansible.builtin.shell: - cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false @@ -14,7 +21,7 @@ - name: "{{{ rule_title }}} - Find all files that set kernel.core_pattern to correct value" ansible.builtin.shell: - cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$' register: find_correct_value check_mode: false changed_when: false @@ -23,15 +30,23 @@ - name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from config files" ansible.builtin.replace: path: '{{ item | split(":") | first }}' - regexp: ^[\s]*kernel.core_pattern + regexp: '^[\s]*kernel.core_pattern' replace: '#kernel.core_pattern' loop: '{{ find_all_values.stdout_lines }}' when: find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length +- name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from /etc/sysctl.conf" + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^[\s]*kernel.core_pattern' + replace: '#kernel.core_pattern' + with_fileglob: + - "/etc/sysctl.conf" + - name: "{{{ rule_title }}} - Ensure sysctl kernel.core_pattern is set to empty" ansible.posix.sysctl: - name: kernel.core_pattern - value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces - sysctl_file: "/etc/sysctl.conf" + name: "kernel.core_pattern" + value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces + sysctl_file: "/etc/sysctl.d/kernel_core_pattern.conf" state: present - reload: true + reload: yes diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh index 2b2f1cd70b66..301e434e8c03 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh @@ -5,49 +5,39 @@ # disruption = medium # Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) + if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f + sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE='/etc/sysctl.d/kernel_core_pattern.conf' + # # Set runtime for kernel.core_pattern # -/sbin/sysctl -q -n -w kernel.core_pattern="" +if {{{ bash_not_bootc_build() }}} ; then + /sbin/sysctl -q -n -w kernel.core_pattern="" +fi # # If kernel.core_pattern present in /etc/sysctl.conf, change value to empty # else, add "kernel.core_pattern =" to /etc/sysctl.conf # -# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -# Otherwise, regular sed command will do. -sed_command=('sed' '-i') -if test -L "/etc/sysctl.conf"; then - sed_command+=('--follow-symlinks') -fi - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") -# shellcheck disable=SC2059 -printf -v formatted_output "%s=" "$stripped_key" +sed -i --follow-symlinks "/^kernel.core_pattern/d" /etc/sysctl.conf -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" -else - # \n is precaution for case where file ends without trailing newline - - printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" -fi +{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^kernel.core_pattern', '', cce_identifiers=cce_identifiers) }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml index 3fba84e44eac..8005c5990f02 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml @@ -37,155 +37,68 @@ + {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.", rule_title=rule_title) }}} - - - - - - + + + + + - - + - + - - - - + + + - - + + + - -{{% if target_oval_version >= [5, 11] %}} - - - - - - - local_var_sysctl_kernel_core_pattern_empty_string_counter - - - - 1 - - - - - - - - - - - - - object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered - state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink - - - - - - - - - - - - - - - - - var_obj_symlink_sysctl_kernel_core_pattern_empty_string - var_obj_blank_sysctl_kernel_core_pattern_empty_string - - - - - local_var_blank_path_sysctl_kernel_core_pattern_empty_string - - - - - - - - local_var_symlinks_sysctl_kernel_core_pattern_empty_string - - - - - - - - - - - - - state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string - - - - - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - -{{% endif %}} - - - - - - + + - object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string - object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string + object_static_etc_lib_sysctls_sysctl_kernel_core_pattern_empty_string + object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern_empty_string - + object_static_sysctl_sysctl_kernel_core_pattern_empty_string object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string - + + object_static_usr_local_lib_sysctld_sysctl_kernel_core_pattern_empty_string object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string + /etc/sysctl.conf ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ @@ -205,6 +118,23 @@ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ 1 + + + /usr/local/lib/sysctl.d + ^.*\.conf$ + ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ + 1 + + + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ + 1 + + + diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml index 4f228f0c3a4a..ac8e9953350d 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml @@ -11,9 +11,7 @@ title: 'Disable XDMCP in GDM' {{% endif %}} description: |- - XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. - {{{ weblink("https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity", "XDMCP Gnome docs") }}}. - + XDMCP is an unencrypted protocol, and therefore, presents a security risk. To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in {{{ gdm_conf_path }}}. For example: 
     [xdmcp]
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
index b80f01777048..72387b459f09 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml
@@ -52,7 +52,8 @@ title: Implement Custom Crypto Policy Modules for CIS Benchmark
     {
         "module_name": "NO-RPMSHA1",
         "key": "hash@rpm",
-        "value": "-SHA1"
+        "value": "-SHA1",
+        "scope": "rpm-sequoia"
     },
 ] %}}
 {{% elif product == "rhel10" or product == "fedora" %}}
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 8080f0c6ced3..514841546662 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -40,19 +40,31 @@
 
 {{% endif %}}
 
-- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (without PQC)"
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+    - "{{{ auxiliary_key_fingerprint }}}"
+  when: ansible_distribution_version is version('10.1', '<')
+
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (with PQC)"
   ansible.builtin.set_fact:
     gpg_valid_fingerprints:
     - "{{{ release_key_fingerprint }}}"
     - "{{{ auxiliary_key_fingerprint }}}"
-{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
     - "{{{ pqc_key_fingerprint }}}"
+  when: ansible_distribution_version is version('10.1', '>=')
+{{% else %}}
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+    - "{{{ auxiliary_key_fingerprint }}}"
 {{% endif %}}
 
 - name: "{{{ rule_title }}}: Import RedHat GPG key"
-  ansible.builtin.rpm_key:
-    state: present
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
   when:
    - gpg_key_directory_permission.stat.mode <= '0755'
    - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
index 53931cd4009d..5fdb792b79cd 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
@@ -25,13 +25,16 @@ then
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
+  # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
 {{% if "rhel" in families  and major_version_ordinal >= 10 %}}
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || {
+    if {{{ bash_os_linux_conditional("rhel", expected_ver="10.1", op=">=") | trim }}}
+    then
+      echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    else
+      echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    fi
 {{% else %}}
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
 {{% endif %}}
-      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
-      rpm --import "${REDHAT_RELEASE_KEY}"
-    }
   fi
 fi
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
index 6871feba83b3..52461f678900 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
@@ -13,8 +13,13 @@
           
 {{% if "rhel" in families  and major_version_ordinal >= 10 %}}
-          
+          
+            
+            
+              
+              
+            
+          
 {{% endif %}}
       
       {{%- if centos_major_version %}}
@@ -88,5 +93,22 @@
   
   {{%- endif %}}
 
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+  
+    
+    
+  
+
+  
+    /etc/os-release
+    ^VERSION_ID=["']?([\w.]+)["']?$
+    1
+  
+
+  
+    10.1
+  
+{{% endif %}}
+
 
 {{% endif %}}
diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index 8269196f2993..f6abf020f44a 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -817,6 +817,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.7
diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile
index 4d9b46867bc6..3be6b3d8376a 100644
--- a/products/rhel10/profiles/default.profile
+++ b/products/rhel10/profiles/default.profile
@@ -45,3 +45,4 @@ selections:
     - file_etc_security_opasswd
     - sshd_use_strong_macs
     - configure_ssh_crypto_policy
+    - package_dnsmasq_removed
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index cbe5d4d6454e..57ff2e16abc4 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -860,6 +860,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.7
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 1b95e71705f9..069855e80d26 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index 461459e5d2bd..3477225767b6 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -84,7 +84,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -99,15 +99,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -123,17 +123,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 9080117a63c3..5789b94da59d 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -81,7 +81,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -96,15 +96,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -119,17 +119,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile
index 6865a9615f79..7e7401a04ac7 100644
--- a/products/rhel8/profiles/default.profile
+++ b/products/rhel8/profiles/default.profile
@@ -738,3 +738,4 @@ selections:
     - configure_openssl_tls_crypto_policy
     - sshd_use_approved_kex_ordered_stig
     - accounts_user_dot_no_world_writable_programs
+    - package_dnsmasq_removed
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index f73fbd1f6d79..2ded1b128c92 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -819,6 +819,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.6
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
index 5b170c0a635f..48dbcf396ce8 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,noexec,nosuid"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
index 7cb225c2da56..bbb3a2cadf90 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
@@ -84,7 +84,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -99,15 +99,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -122,17 +122,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
index 4feee55f0f8c..d5649e10ece3 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
index 47ef01e7fa56..68a69d4d0d9c 100644
--- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
@@ -97,16 +97,16 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
 # partition_for_usr
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=3192 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
 # partition_for_opt
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128
 # Ensure /home Located On Separate Partition
 # partition_for_home
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
 # Ensure /tmp Located On Separate Partition
 # partition_for_tmp
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
 logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var Located On Separate Partition
 # partition_for_var
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096
 # Ensure /var/log Located On Separate Partition
 # partition_for_var_log
 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
index 263be16f4566..73e367ce22dc 100644
--- a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
@@ -94,7 +94,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /home Located On Separate Partition
 logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
 # Ensure /tmp Located On Separate Partition
@@ -111,17 +111,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
index 55a0a069cac0..cbb5ce7e2dcb 100644
--- a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
@@ -78,7 +78,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -93,32 +93,32 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=5120 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # CCE-26557-9: Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
 # CCE-26435-8: Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 # CCE-26639-5: Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096 --fsoptions="nodev"
 # CCE-26215-4: Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=512 --fsoptions="nodev"
 # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
 logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev"
 logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile
index 876e5516b32a..f817322dbdab 100644
--- a/products/rhel9/profiles/default.profile
+++ b/products/rhel9/profiles/default.profile
@@ -592,3 +592,4 @@ selections:
     - audit_rules_login_events_tallylog
     - configure_ssh_crypto_policy
     - accounts_user_dot_no_world_writable_programs
+    - package_dnsmasq_removed
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 7a92cfd8cdb7..7ad8a71c0246 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2253,23 +2253,23 @@ for f in $(echo -n "{{{ files }}}"); do
     fi
 
     # find key in section and change value
-    if grep -qzosP "[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then
-        if ! grep -qPz "{{{ key }}}={{{ value }}}" "$f"; then
+    if grep -qzosP "(?m)^[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then
+        if ! grep -qzosP "(?m)^[[:space:]]*{{{ key }}}[[:space:]]*=[[:space:]]*{{{ value }}}" "$f"; then
 {{% if no_quotes %}}
-            sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}}={{{ value | replace("/", "\/") }}}/" "$f"
+            sed -i "/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1{{{ value | replace("/", "\/") }}}/" "$f"
 {{% else %}}
-            sed -i 's/{{{ key }}}[^(\n)]*/{{{ key }}}="{{{ value | replace("/", "\/") }}}"/' "$f"
+            sed -i '/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1"{{{ value | replace("/", "\/") }}}"/' "$f"
 {{% endif %}}
         fi
 
         found=true
 
     # find section and add key = value to it
-    elif grep -qs "[[:space:]]*\[{{{ section }}}\]" "$f"; then
+    elif grep -qs "^[[:space:]]*\[{{{ section }}}\]" "$f"; then
 {{% if no_quotes %}}
-            sed -i "/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f"
+            sed -i "/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f"
 {{% else %}}
-            sed -i '/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f"
+            sed -i '/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f"
 {{% endif %}}
             found=true
     fi
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 19129c0f0065..3681684fcdf0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2341,6 +2341,3 @@ CCE-90706-3
 CCE-90707-1
 CCE-90710-5
 CCE-90715-4
-CCE-90720-4
-CCE-90721-2
-CCE-90722-0
diff --git a/shared/templates/crypto_sub_policies/ansible.template b/shared/templates/crypto_sub_policies/ansible.template
index 688b681a97bd..7152802d1b50 100644
--- a/shared/templates/crypto_sub_policies/ansible.template
+++ b/shared/templates/crypto_sub_policies/ansible.template
@@ -4,7 +4,18 @@
 # complexity = low
 # disruption = low
 
+-   name: "{{{ rule_title }}} - Set the base crypto policy"
+    ansible.builtin.set_fact:
+        expected_crypto_policy: "{{{ BASE_POLICY }}}"
+
 {{% for sub_policy in SUB_POLICIES %}}
+{{% if "scope" in sub_policy %}}
+-   name: "{{{ rule_title }}} - Check That /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config Exists"
+    ansible.builtin.stat:
+        path: /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config
+    register: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope
+{{% endif %}}
+
 -   name: "{{{ rule_title }}} - Create custom crypto policy module {{{ sub_policy.module_name }}}"
     ansible.builtin.lineinfile:
         path: /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod
@@ -14,6 +25,16 @@
         line: {{{ sub_policy.key }}} = {{{ sub_policy.value }}}
         create: true
         regexp: "{{{ sub_policy.key }}}"
+{{% if "scope" in sub_policy %}}
+    when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists
+{{% endif %}}
+
+-   name: "{{{ rule_title }}} - Update the expected policy"
+    ansible.builtin.set_fact:
+        expected_crypto_policy: "{{ expected_crypto_policy + ':{{{ sub_policy.module_name }}}' }}"
+{{% if "scope" in sub_policy %}}
+    when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists
+{{% endif %}}
 {{% endfor %}}
 
 -   name: "{{{ rule_title }}} - Check current crypto policy"
@@ -24,5 +45,5 @@
     check_mode: false
 
 -   name: "{{{ rule_title }}} - Update crypto-policies"
-    ansible.builtin.command: update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}
-    when: current_crypto_policy.stdout.strip() != "{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
+    ansible.builtin.command: update-crypto-policies --set {{ expected_crypto_policy }}
+    when: current_crypto_policy.stdout.strip() != expected_crypto_policy
diff --git a/shared/templates/crypto_sub_policies/bash.template b/shared/templates/crypto_sub_policies/bash.template
index e8915cb3daf3..685e90e54846 100644
--- a/shared/templates/crypto_sub_policies/bash.template
+++ b/shared/templates/crypto_sub_policies/bash.template
@@ -4,12 +4,22 @@
 # complexity = low
 # disruption = low
 
-{{% for sub_policy in SUB_POLICIES %}}
-{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) }}}
-{{% endfor %}}
+expected_crypto_policy="{{{ BASE_POLICY }}}"
+
+{{% for sub_policy in SUB_POLICIES -%}}
+{{% if "scope" in sub_policy %}}
+# this module is applicable only if {{{ sub_policy.scope }}} scope is available in crypto-policies
+if [[ -f /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config ]] ; then
+{{%- endif %}}
+expected_crypto_policy="${expected_crypto_policy}:{{{ sub_policy.module_name }}}"
+{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) | trim }}}
+{{% if "scope" in sub_policy -%}}
+fi
+{{% endif %}}
+{{%- endfor %}}
 
 current_crypto_policy=$(update-crypto-policies --show)
-expected_crypto_policy="{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
+
 if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then
     update-crypto-policies --set "$expected_crypto_policy"
 fi
diff --git a/shared/templates/crypto_sub_policies/oval.template b/shared/templates/crypto_sub_policies/oval.template
index 272ae6ee31df..b45e533287a9 100644
--- a/shared/templates/crypto_sub_policies/oval.template
+++ b/shared/templates/crypto_sub_policies/oval.template
@@ -3,8 +3,18 @@
         {{{ oval_metadata("Ensure that the custom crypto policy module is configured", rule_title=rule_title) }}}
         
         {{% for sub_policy in SUB_POLICIES %}}
-            
+                    
+                    
+                        
+                        
+                    
+                
+            {{% else %}}
+                
+            {{% endif %}}
         {{% endfor %}}
         
     
@@ -21,5 +31,14 @@
             ^{{{ sub_policy.key }}} = {{{ sub_policy.value | escape_regex }}}$
             1
         
+        {{% if "scope" in sub_policy %}}
+            
+                
+            
+
+            
+                /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config
+            
+        {{% endif %}}
         {{% endfor %}}
 
diff --git a/shared/templates/crypto_sub_policies/template.py b/shared/templates/crypto_sub_policies/template.py
deleted file mode 100644
index 8e256ae08291..000000000000
--- a/shared/templates/crypto_sub_policies/template.py
+++ /dev/null
@@ -1,3 +0,0 @@
-def preprocess(data, lang):
-    data["configure_crypto_policy_modules"] = ":".join([sub_policy["module_name"] for sub_policy in data["sub_policies"]])
-    return data
diff --git a/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh b/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh
new file mode 100644
index 000000000000..90b69e6f4047
--- /dev/null
+++ b/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+SECTION="{{{ SECTION }}}"
+PARAM="{{{ PARAM }}}"
+VALUE="{{{ VALUE }}}"
+MASTER_CFG_FILE="{{{ MASTER_CFG_FILE }}}"
+
+# This setup tests if remediation is "tricked" by a commented-out correct value.
+# It sets an active bad value and a commented-out good value.
+{{% if NO_QUOTES %}}
+echo -e "[$SECTION]\n$PARAM=badval\n#$PARAM=$VALUE" > "$MASTER_CFG_FILE"
+{{% else %}}
+echo -e "[$SECTION]\n$PARAM=\"badval\"\n#$PARAM=\"$VALUE\"" > "$MASTER_CFG_FILE"
+{{% endif %}}
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index acb21b876b66..be281650fc10 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -322,7 +322,6 @@ package_audit_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -369,6 +368,7 @@ service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index 1a8d4a413244..40d910b58ee9 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -226,7 +226,6 @@ package_aide_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -262,6 +261,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 63186a34c258..f2f820c05c60 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -222,7 +222,6 @@ package_aide_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -253,6 +252,7 @@ rsyslog_files_permissions
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 221ffac17557..68ed725b2d73 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -322,7 +322,6 @@ package_audit_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -365,6 +364,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index 40ef7718866d..f17b30ec001e 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -323,7 +323,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -376,6 +375,7 @@ service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index c186914d253b..8acdac5b799c 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -237,7 +237,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -279,6 +278,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index f53d2e0dd714..3a115c19fbf6 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -234,7 +234,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -271,6 +270,7 @@ rsyslog_nolisten
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index f43c7d9ea9b5..c7700c1f700b 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -323,7 +323,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -372,6 +371,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 65f2ddc07f7e..398d9f9c3132 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -292,7 +292,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -339,6 +338,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index ac83e2c0a321..549ae2ca45b2 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -201,7 +201,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -238,6 +237,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index fb685c741479..fc3d0e7e594a 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -198,7 +198,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -230,6 +229,7 @@ rsyslog_files_permissions
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index 3fc4bebf0c4a..ac08a0eb2e05 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -292,7 +292,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -335,6 +334,7 @@ service_autofs_disabled
 service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja b/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja
index 34a90ce2398b..95dfa0acb8da 100644
--- a/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja
+++ b/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja
@@ -46,7 +46,7 @@ teardown() {
 
 @test "bash_ensure_ini_config - Basic value remediation" {
     printf "[pam]\npam_cert_auth = false\n" > sssd_test/sssd.conf
-    expected_output="[pam]\npam_cert_auth=true\n"
+    expected_output="[pam]\npam_cert_auth = true\n"
 
     call_bash_ensure_ini_config "sssd_test/sssd.conf" "pam" "pam_cert_auth" "true"
 
@@ -57,7 +57,7 @@ teardown() {
 @test "bash_ensure_ini_config - Value remediation in multiple files" {
     printf "[pam]\npam_cert_auth = false\n" > sssd_test/sssd.conf
     printf "[pam]\npam_cert_auth = false\n" > pam_cert_auth.conf
-    expected_output="[pam]\npam_cert_auth=true\n"
+    expected_output="[pam]\npam_cert_auth = true\n"
 
     call_bash_ensure_ini_config "sssd_test/sssd.conf pam_cert_auth.conf" "pam" "pam_cert_auth" "true"
 
@@ -70,7 +70,7 @@ teardown() {
 
 @test "bash_ensure_ini_config - No remediation happened" {
     printf "[pam]\npam_cert_auth = true\n" > sssd_test/sssd.conf
-    expected_output="[pam]\npam_cert_auth=true\n"
+    expected_output="[pam]\npam_cert_auth = true\n"
 
     call_bash_ensure_ini_config "sssd_test/sssd.conf" "pam" "pam_cert_auth" "true"