Fix OS Release Comparing: 8.10

Gemfile

@@ -14,7 +14,6 @@ gem 'kitchen-ec2'
 gem 'kitchen-inspec'
 gem 'kitchen-sync'
 gem 'kitchen-vagrant'
-gem 'parser', '< 3.3.1.0'
 gem 'rake'
 gem 'rubocop'
 gem 'rubocop-rake'

controls/SV-230221.rb

@@ -51,16 +51,16 @@
   release = os.release
 
   EOMS_DATE = {
-    /^8\.1/ => '30 November 2021',
-    /^8\.2/ => '30 April 2022',
-    /^8\.3/ => '30 April 2021',
-    /^8\.4/ => '31 May 2023',
-    /^8\.5/ => '31 May 2022',
-    /^8\.6/ => '31 May 2024',
-    /^8\.7/ => '31 May 2023',
-    /^8\.8/ => '31 May 2025',
-    /^8\.9/ => '31 May 2024',
-    /^8\.10/ => '31 May 2029'
+    /^8\.1$/ => '30 November 2021',
+    /^8\.2$/ => '30 April 2022',
+    /^8\.3$/ => '30 April 2021',
+    /^8\.4$/ => '31 May 2023',
+    /^8\.5$/ => '31 May 2022',
+    /^8\.6$/ => '31 May 2024',
+    /^8\.7$/ => '31 May 2023',
+    /^8\.8$/ => '31 May 2025',
+    /^8\.9$/ => '31 May 2024',
+    /^8\.10$/ => '31 May 2029'
   }.find { |k, _v| k.match(release) }&.last
 
   describe "The release \"#{release}\" is still be within the support window" do

controls/SV-230244.rb

@@ -42,7 +42,7 @@
   tag 'container-conditional'
 
   only_if('SSH is not installed on the system this requirement is Not Applicable', impact: 0.0) {
-    (service('sshd').enabled? || package('openssh-server').installed?)
+    service('sshd').enabled? || package('openssh-server').installed?
   }
 
   client_alive_count = input('sshd_client_alive_count_max')

controls/SV-230285.rb

@@ -38,10 +38,14 @@
     !virtualization.system.eql?('docker')
   }
 
-  if os.release.to_f >= 8.4 && input('use_fips') == true
+  message = <<~MESSAGE
+    \n\nFor RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  if os.version.minor >= 4 && input('use_fips') == true
     impact 0.0
     describe 'For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable.' do
-      skip "Currently on release #{os.release}, this control is Not Applicable."
+      skip message
     end
   else
     describe service('rngd') do

controls/SV-230332.rb

@@ -87,10 +87,14 @@
     !input('central_account_management')
   }
 
-  if os.release.to_f >= 8.2
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  if os.version.minor >= '2'
     impact 0.0
     describe 'This requirement only applies to RHEL 8 version(s) 8.0 and 8.1' do
-      skip "Currently on release #{os.release}, this control is Not Applicable."
+      skip message
     end
   else
     [

controls/SV-230333.rb

@@ -48,9 +48,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL version 8.2 and later. If the system is not RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file('/etc/security/faillock.conf') do
     its('deny') { should cmp <= input('unsuccessful_attempts') }

controls/SV-230334.rb

@@ -74,9 +74,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL version 8.1 and earlier. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {
-    (os.release.to_f) < 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-230335.rb

@@ -48,9 +48,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file(input('security_faillock_conf')) do
     its('fail_interval') { should cmp >= input('fail_interval') }

controls/SV-230336.rb

@@ -76,9 +76,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL version 8.1 and earlier. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {
-    (os.release.to_f) < 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-230337.rb

@@ -50,9 +50,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file('/etc/security/faillock.conf') do
     its('unlock_time') { should cmp >= input('lockout_time') }

controls/SV-230338.rb

@@ -76,9 +76,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) < 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-230339.rb

@@ -47,9 +47,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file('/etc/security/faillock.conf') do
     its('dir') { should cmp input('log_directory') }

controls/SV-230340.rb

@@ -72,9 +72,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) < 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-230341.rb

@@ -48,9 +48,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file('/etc/security/faillock.conf') do
     its('silent') { should_not be_nil }

controls/SV-230342.rb

@@ -1,6 +1,6 @@
 control 'SV-230342' do
-  title 'RHEL 8 must log user name information when unsuccessful logon attempts
-occur.'
+  title "RHEL 8 must log user name information when unsuccessful logon attempts
+occur."
   desc 'By limiting the number of failed logon attempts, the risk of
 unauthorized system access via user password guessing, otherwise known as
 brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -75,9 +75,13 @@
   tag cci: ['CCI-000044']
   tag nist: ['AC-7 a']
 
-  only_if('If the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) < 8.2
-  }
+  message = <<~MESSAGE
+    \nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this check is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    ['8.0', '8.1'].include?(os.version)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-230343.rb

@@ -48,9 +48,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file('/etc/security/faillock.conf') do
     its('audit') { should_not be_nil }

controls/SV-230344.rb

@@ -79,9 +79,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('If the system is RHEL version 8.2 or newer, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) < 8.2
-  }
+  message = <<~MESSAGE
+    \nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this check is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    ['8.0', '8.1'].include?(os.version)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-230345.rb

@@ -49,9 +49,13 @@
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe parse_config_file('/etc/security/faillock.conf') do
     its('even_deny_root') { should_not be_nil }

controls/SV-244533.rb

@@ -57,9 +57,13 @@ module in the /etc/pam.d/system-auth file.
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   pam_auth_files = input('pam_auth_files')
 

controls/SV-244534.rb

@@ -58,9 +58,13 @@ module in the /etc/pam.d/password-auth file.
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe pam('/etc/pam.d/password-auth') do
     its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') }

controls/SV-250315.rb

@@ -69,9 +69,13 @@ module with the following command:
   tag nist: ['AC-7 a', 'AC-7 b']
   tag 'host'
 
-  only_if('This check applies to RHEL version 8.2 and later. If the system is not RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {
-    (os.release.to_f) >= 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   if virtualization.system.eql?('docker')
     impact 0.0

controls/SV-250316.rb

@@ -65,9 +65,13 @@ module with the following command:
   tag 'host'
   tag 'container'
 
-  only_if('This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL version 8.2 or newer, this check is Not Applicable.', impact: 0.0) {
-    os.release.to_f < 8.2
-  }
+  message = <<~MESSAGE
+    \n\nThis check only applies to RHEL versions 8.0 or 8.1.\n
+    The system is running RHEL version: #{os.version}, this requirement is Not Applicable.
+  MESSAGE
+  only_if(message, impact: 0.0) do
+    os.version.minor.between?(0, 1)
+  end
 
   describe selinux do
     it { should be_installed }

inspec.yml

@@ -4,7 +4,7 @@ maintainer: MITRE SAF Team
 copyright: MITRE
 license: Apache-2.0
 summary: "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]."
-version: 1.14.1
+version: 1.14.2
 
 inspec_version: ">= 5.0"
 
@@ -1047,4 +1047,4 @@ inputs:
     type: String
     value: 'local'
 
-
+