ComplianceAsCode · Mab879 · Feb 12, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml
@@ -6,7 +6,7 @@
 
 {{{ ansible_instantiate_variables("var_logind_session_timeout") }}}
 
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh
@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_logind_session_timeout") }}}
 
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}

diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml
@@ -1,12 +1,12 @@
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}}
 {{% else %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
 {{% endif %}}
 
 <def-group>
   <definition class="compliance" id="logind_session_timeout" version="1">
-    {{% if product in ["sle15", "sle16"] %}}
+    {{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
     {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}}
     <criteria comment="logind is configured correctly and configuration file exists" operator="AND">
       <criterion comment="Check the StopIdleSessionSec in {{{ logind_conf_file }}}" test_ref="test_logind_session_timeout_drop_in"/>

@@ -3,7 +3,7 @@
 # this file prepares unified test environment used by other scenarios
 # These should be tuned per product to match defaults
 
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf"
 mkdir -p /etc/systemd/logind.conf.d/
 {{% else %}}

diff --git a/.../guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/.../guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
@@ -11,6 +11,7 @@
       dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
       block: |
         [Service]
+        ExecStart=
         ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
 {{% else %}}
 - name: Require emergency mode password

diff --git a/...x_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/...x_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
@@ -16,6 +16,7 @@ sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default
 {{% if 'sle' in product or 'rhel' in product or product == 'fedora' or product == 'slmicro5' or 'ol' in families  %}}
 mkdir -p "${service_dropin_cfg_dir}"
 echo "[Service]" >> "${service_dropin_file}"
+echo "ExecStart=" >> "${service_dropin_file}"
 echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
 {{% else %}}
 if grep "^ExecStart=.*" "$service_file" ; then

diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
@@ -28,6 +28,9 @@ references:
     stigid@ol7: OL07-00-021031
     stigid@ol8: OL08-00-010700
 
+identifiers:
+    cce@rhel9: CCE-86469-4
+
 ocil_clause: 'there is output'
 
 ocil: |-

@@ -1303,7 +1303,7 @@ controls:
       title: All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application
           user.
       rules:
-          - dir_perms_world_writable_root_owned
+          - dir_perms_world_writable_system_owned
       status: automated
 
     - id: RHEL-09-232245
@@ -2087,9 +2087,10 @@ controls:
     - id: RHEL-09-271065
       levels:
           - medium
-      title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
+      title: RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.
       rules:
           - dconf_gnome_screensaver_idle_delay
+          - inactivity_timeout_value=10_minutes
       status: automated
 
     - id: RHEL-09-271070
@@ -2511,7 +2512,7 @@ controls:
       title: RHEL 9 must terminate idle user sessions.
       rules:
           - logind_session_timeout
-          - var_logind_session_timeout=15_minutes
+          - var_logind_session_timeout=10_minutes
       status: automated
 
     - id: RHEL-09-431010
@@ -3500,6 +3501,16 @@ controls:
           - audit_rules_privileged_commands_crontab
       status: automated
 
+    - id: RHEL-09-654097
+      levels:
+          - medium
+      title: RHEL 9 must audit any script or executable called by cron as root or by any privileged user.
+      rules:
+          - audit_rules_etc_cron_d
+          - audit_rules_var_spool_cron
+      status: automated
+
+
     - id: RHEL-09-654100
       levels:
           - medium

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -3,7 +3,6 @@ CCE-86461-1
 CCE-86465-2
 CCE-86466-0
 CCE-86468-6
-CCE-86469-4
 CCE-86482-7
 CCE-86483-5
 CCE-86484-3

diff --git a/...ces/disa-stig-rhel9-v2r6-xccdf-manual.xml → ...ces/disa-stig-rhel9-v2r7-xccdf-manual.xml b/...ces/disa-stig-rhel9-v2r6-xccdf-manual.xml → ...ces/disa-stig-rhel9-v2r7-xccdf-manual.xml